We have a development server where we build sites before we deploy them to the production server. After deploying to production server the dev site is not needed anymore, but still don't want to delete that for a while if we need something from the dev site (files, config, assets pointing to old domain etc.).
For us the problem is not the visibility, but missing security updates. Of course it would be handy for example for phpMyAdmin etc. web apps.
My suggestion is to add the deactivate/activate button, which deny/allow access to web app via http.