The same DNS rebinding attack vector is also found on Roku devices (CVE-2018–11314). The researcher says that Roku devices expose an API server on port 8060, accessible from a user's internal network.
An attacker could use a DNS rebinding attack to send requests to this API server and control basic device functions such as launching apps, searching, playing content, and even simulating keys input using a virtual keyboard app.
If my DNS is compromised, it means my router is compromised. If my router is compromised, my network is compromised. I fail to see how it helps to make the Roku require an IP address for API access, since anyone on my compromised network could find its IP address easily.
Regardless, I've already taken care of it on my end in Home Assistant's Roku integration. Hopefully you find a better way to fix it down the road.