I did have in the past a network which also had deliberately no Internet connectivity. This meant it was not possible to sync to normal Internet NTP servers. At the time Apple still included NTP software and I was able to configure it to have two Mac servers sync to each other by defining also a third virtual server in the ntp config.
It worked but tended to reinforce the discrepancy between the two servers making them stray from a correct time much faster than a single system. However it achieved the goal of having an active NTP server which clients could sync to. A single NTP server with no feed will not activate itself as an NTP server.
GPS would be possible (at a cost) without Internet access but you would have to trust the GPS signal. Another option would be to use a radio receiver to listen to the radio broadcast of an atomic clock. Again you have to trust the data.
I would not see a radio receiver as a security risk for a standalone network.
In theory this would be fairly cheap - much cheaper than either a real atomic clock or GPS receiver.
See - https://www.vanheusden.com/lpc-ntpd/lindy_precision_clock.php and https://www.lindy.co.uk/usb-precision-clock-corrects-time-on-pcs-p2389