How to prevent ntpd to listen on 0.0.0.0:123?

Remove all -I or --interface options from /etc/default/ntp and insert the following into your /etc/ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
# NOTE: if you want to update your time using remote machines,
# add at least one remote interface address:
#interface listen 2001:db8::1
#interface listen 192.0.2.1

An excerpt from the ntpd(1) manual page about the -i option:

This option also implies not opening other addresses, except wildcard and localhost. Please consider using the configuration file interface command, which is more versatile.

See also the Debian manual page (I could not find it in Arch Linux one) of ntp.conf(5).

With ntp listening only on 127.0.0.1, it looks like it can't initiate connection to a public ntp server :

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
ks370079.kimsuf **.INIT.**       16 -    -   64    0    0.000    0.000   0.000

It must be bind to a routable ip address to work.

Full /etc/ntp.conf that protocol neutral (IPv4 &| IPv6)

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict lo

interface ignore wildcard
interface listen lo

If you want to reduce the number of listening services for security reasons, openntpd might be considered, as it does not require a listen server to act as a client. It is considered slightly less accurate than ntpd; it is reliable within a few hundred ms, but this is suitable for most purposes.