Yes, you do. Clients must be able to traverse junction tree starting from the top (i.e. "/"), which means "/" must allow at least read-only mount. The only way to harden it would be to restrict visibility of files/directories under "/", so that even if clients mount it, they won't be able to see its content.
Set "/" unix-permissions to something like 0711 (of course make sure owner is root) and create mninimal export-policy that only allows ro mount, but no rw, no root etc. Then nobody can list content of /, but still explicitly enter subvolumes or mount them.