NetworkPolicy for external access but not from other Namespaces

I have a NetworkPolicy taking effect for allowing external access to Deployments matching a specific label. So far, so simple.

The problem is, that Pods from other Namespaces can access these Deployments, even though communication between Pods of different Namespaces is blocked entirely, within the Cluster network.

How is it possible to have a NetworkPolicy setup (or a similar solution), to allow access to certain Deployments from outside the Cluster, without allowing access from Pods within other Namespaces, through the Cluster Network?

A NetworkPolicy which blocks communication between objects from different Namespaces is already part of the setup. It just seems like allowing external access makes the other NetworkPolicy futile, as Deployments become accessible not only from outside the Cluster, but also from other Namespaces on the Cluster network.