Can I make https://my-domain/.well-known/jwks.json publicly available?

Oathkeeper is exposed via its public port, but for JWT consumers to have access to public keys in JWKS, they need to be able to fetch it. So I guess i should also expose the .well-known/jwks.json path from oathkeeper api path. Otherwise I am not exposing the api paths, because they seem sensitive. Am I understanding this right?

You can, but only if you use public/private keys (RSA, ECDSA, …). If you include symmetric keys (HS / HMAC-SHA) do not expose the endpoint!