In any event you should be fine as long as you don't allow IAX guests.
That's not my interpretation of what's written on asterisk.org:
"All users are urged to upgrade as soon as they can practically do so, or
ensure that they don't expose IAX2 services to the public if it is not necessary." (my italics).
There doesn't appear to be a more in-depth explanation anywhere, but my understanding of "expose to the public" means have port 4569 (or whatever one you've got your iax service listening on) open to the entire internet. It doesn't appear to me to have anything to do with guest users.
However, i may be misunderstanding what they're trying to say.