SFTP and SCP are protocols that run under SSH. In a few words, it cannot get more seure than that.
Now, there are a few other things you can do, but not really to make it more secure. It would help with hackers scanning your IP from the outside/inside though, of course, until it is found.
Change port is an option. However, you can keep 22 on the NAS and open a different one to the internet. In a few words, router will listen on port x and forward to port 22.
MBL live runs Debian Lenny, so yes, you could only allow some IPs to connect to. However, you would need to be an advanced user to set this up, as you have to take into consideration lots of other things, such as WD’s software and all its settings
3rd, yes, you might be able to setup the router to permit/deny connections. But it all depends on the routers. Some have the options some don’t.
Finally, the OS on MBL is Debian Lenny, so in a few words, you can make it do anything you want. Specially if you are a Linux Expert.