Well, I've tested this and so far no weirdness has occurred when adding a replica or making various changes via the web UI, as far as I can tell nothing rewrites the named.conf after the replica has been set up.
Changed "allow-recursion { any; }" to "allow-recursion { internal; }", and added the following ACL:
acl "internal" {
localhost;
localnets;
};
Also figured out that I can change the faked mname in the web UI at Network Services > DNS > DNS Servers > (select a server) > SOA mname override. This of course changes the mname for zones that only resolve internally to (most of them) but it doesn't matter because the external name I set will be accessible internally too, and everything nominally uses the internal IPs of the replicas for name resolution anyways. I added externally resolvable names for the replicas to the public zone, changed the NS records to those, and set the fake mname accordingly for each server. Presto! Public zone served from FreeIPA without public recusion, on same server that handles internal zones with recursion, and so far no changes I've made in the web UI have rewritten my zones to undo any of this (which apparently used to be a problem?)
Still would be nice if I could set this up via the UI and thus have the ACL automatically configured on every replica, but it's no big deal, since once I set it in named.conf IPA doesn't appear to change it.