Assuming the public zone is the only active zone, IMO that should be sufficient.
The permanent firewall is what is restored (brought up) when boot-up occurs so you could --remove-service openvpn in the run-time instance if you note a problem in openvpn and run firewall-cmd --complete-reload (disconnects any hanging connections) to allow the permanent firewall to take effect when the problem is fixed (Or maybe just reboot).
The drop zone drops everything anyway and appears not active so doesn't act in this scope.