The password restrictions is build in for email password and currently only enforced.
Perhaps, for a more dedicated logic of Auth you can use custom-function authentication where you can do whatever checks you like for passwords:
https://docs.mongodb.com/realm/authentication/custom-function/
Thanks
Pavel