Between malicious or infected hosts inside the network (your own or guests') and the widespread prevalence of hacked routers you really shouldn't trust incoming traffic on the mere basis that it appears to originate from the local network. It's better to treat the intranet as nothing more than a more performant subset within the broader Internet, and all network services as Internet-facing services. Trust no one without authentication.

Assuming you're stuck with some insecure legacy protocol which relies on such rules, however, it's still quite simple to restrict incoming connections to a specific subnet on the host itself, either with local firewall rules or a few lines of code in the application. In a network with UPnP the host is the authority on which connections should be allowed, whether we're talking about Internet services or intranet-only ones, and the host can block incoming connections at least as well as the router. In the absence of NAT there is no need for the router to get involved.