I would not dare to say that there are general practices since many organizations will organize their security differently and based on those practice, you can work with VBR server also. A few things to think about:
1) Putting VBR server in a different domain is perfectly possible.
2) Try to use a specific username/ password (as lengthy as possible
) for your repository. Write it somewhere, put it in an envelope and move it to the companies safety vault
3) Depending on how many backup admins you have, try to keep them as low as possible and use roles in enterprise manager to keep the restore operators from seeing everything
These are just a few to start with. Obviously I would advise firewall (even windows firewall to start with) and blocking network traffic between servers and VBR if that is not necessary. But it would obviously take some time to map all that out
Just a start