You could also remove the ip address on the dbbr0 and webbr0, so your host doesn’t know how to get to the webbr0 and dbbr0.
You need to use fixed ip adresses and assign them yourself in the containers.
At last you should offcourse then attach the webbr0 and dbbr0 to the haproxy container. So the only one who knows how to get to the dbbr0 and webbr0 subnets is the haproxy.