Don't create a publicly available webpage showing bandwidth history or any statistics about the machine (e.g. CPU/RAM usage) as these can be used in surprising ways to attack users

don’t create a publicly available webpage showing bandwidth history or any statistics about the machine (e.g. CPU/RAM usage) as these can be used in surprising ways to attack users.

from Expectations for relay operators - The Tor Project - Policies

Does this mean I have to hide away mrtg stats like the attached one?

It is a 5 minute average of the network interface traffic. Additionally the mrtg contains load average: 1.67, 1.89, 2.04 updated every 5 minutes…

Is this really critical and has to be protected from 3rd parties? Meaning I need to setup https for this and an authentication?

Based on the fact that attacker can set up his own relay and look at bandwidth history, I dont take this advice seriously.

Yes, but not because you run a Tor relay. Rather because that is common sense nowadays.
FWIW I do use NGinx, a self-signed CA and iptables for that [1]

[1] GitHub - toralf/tor-relays: A stack to deploy Tor relays or Snowflake

Why is this stated as an expectation then, if I do not have to do it because of running a relay?

What information is there I have to hide? It is a static website, which is compiled locally, not an API… What are the surprising ways to attack users with the combined traffic summary of usually 4 relays and a load average updated every 5 minutes?