Running passbolt on the same server than for example your wordpress blog or a server administration panel, or other services accessible to an attacker is not a good idea. Indeed an attacker could use a weakness or a misconfiguration in one of the service sitting next to passbolt to gain access to your server.
If you don’t think this is a realistic scenario attacker train for, check out https://www.hackthebox.com/ you will be find a “Bolt” exercise that is a good example of such scenario.