Look if you are going to this extreme, then maybe a $100 home automation system isn’t the best choice for you as far as home security goes.
Curious how you put a fixed IP on a device you cannot administer its IP Address because it has no administration page you can access. You must be using DHCP reservation.
There is a reason they call something like this the “cloud”. The reason is that there is no definition. Things change all the time. IP Addresses are going to get added/changed/deleted and there is zero you can do about it and complaining on a forum isn’t going to change that. If you want control, then you need 100% of it to run locally. That is not how this system works.
How much time did you waste on something you have no control over? Are you going to be continuously monitoring every DNS zone SmartThings employs? I mean it stops as soon as you hit “amazonaws.com”. It hits 3rd party at that point and then you have to monitor all of Amazon and then it can spread out from there.
You have to look at your attack surface. What are you hoping to prevent? From what I can see, SmartThings only communicates by IP to the cloud. Locally, it is Z-Wave and Zigbee, which are Layer-2 protocols. The SmartThings hub is the gateway. And it is the Samsung cloud that communicates with the 3rd party systems, such as Nest, Ecobee, IFTTT, Ring, Amazon, Google, etc., not the actual hub, so all that is going on outside of your hub. If I wanted to attack SmartThings, that is where I would focus my attacks, not someone’s house that may or may not have SmartThings. I am pretty sure you are not hosting a static IP at your home and if you are, great, but it does not gain you much.
If you wanted to insure that the SmartThings hub could not communicate by IP with any other device, you would put it on a /30 network with only its default gateway on the same network. It could not get outside its network. There is no WiFi in it. Put it on a /30 network and there are no other devices on the wired side it can communicate with if it ever were compromised to the point of doing IP and port scans.
If you want to minimize https traffic, then limit your source ports to above tcp/1023. That is what I check on source ports for devices wanting to hit anything on our network. That takes care of the exploits that modify source ports to easily leave your target’s network.
And then you have to think about https traffic, itself. It is SSL based. That is tcp/443. So it does not look like anything is going in and out clear text. SmartThings is only going to add the root certificates that it uses with the device. I highly doubt that it has a comprehensive list of root certs in it outside of what is required by the product and it is not going to click through any certificate errors like an end user would. There is a finite amount of memory and non-volatile RAM in it. So, an attacker would have to get a signed certificate for Amazon or SmartThings to exploit the https communication by the certificate signing authority, which I doubt that said signing authority would want to jeopardize its business and losing customers, like Amazon and SmartThings, just so someone could hack into your home network.
That takes care of the electronic side. The only other thing to worry about is the physical access into your house.
If you are that worried about it, do not install locks that can be remotely unlocked. Go back to a key. You cannot electronically compromise them. And then, the person trying to gain access is going to have to be on your property, anyway. Why not use a sledge hammer through a window or break the door down?
And @tgauchat is 100% right. The Terms of Service indemnifies SmartThings from any legal course you could take so you are pretty much up a creek even if anything should happen.
So, I maintain, that the juice is not worth the squeeze. You are complaining about something you cannot control and will not be able to control and if this is a problem for you that you cannot get over, then this is not the product for you.