The key is to do regular backups to a different location, and to keep previous versions as read-only backups for a certain timespan. If something happens to the local data you can just restore from the remote backup, and also pick an unmodified previous version in case of a ransomware attack.
E.g. I do a daily encrypted cloud backup of everything that can’t just be downloaded again, and the backup provider keeps previous versions for 30 days.
It’s a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can affect risk, e.g. how often a software is updated, if it’s open or closed source, how widely used it is, your personal level of relevant IT knowledge, the likelihood of a serious attack, what you are actually protecting, and so on.
One central rule is that more attack surface leads to a higher risk of security breaches (e.g. by discovering new vulnerabilities), and hiding everything behind a VPN reduces the attack surface to just one piece of software that’s mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.
In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it’s completely fine to make it publicly accessible in most cases. The security risk is not zero, but it’s way overblown by some people in tech forums.
In your case, the login page behind a CF tunnel with 2FA enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.
It’s not unlocked though. A better analogy would be that it’s locked but out in the open, instead of behind a garage door.
People saying email, look into using external SMTP servers as relays. Your domain most likely comes with at least one email account with SMTP access. You can use that as a relay to send personal/business emails from your server using the provider’s reputable IP addresses.
I’m doing exactly that, and it works like a charm. Get a DynDNS, backup mx and SMTP relay and you’re good, or get a domain provider like strato.de that already includes all three with the domain.
Spam is also manageable. I get maybe 1-2 per day that make it past the filter, and I do have to add some custom keyword filters from time to time, but that’s about it. Fetching updated filter lists and self-learning from past errors keeps the filter up to date and is completely automated.
Go through all the apps on your phone that have to talk to the cloud to do their job. Most of them can be replaced with privacy preserving self-hosted alternatives.
A good starting point would probably be Nextcloud. And remember to also think about a backup strategy for important data.
It’s mostly about syncing data between your different devices, without having to use a cloud service. I want to be able to organize the budget on my PC and look it up on my phone for example, without having to keep my PC running or manually sync them.
Another aspect is backups and redundancy. My NAS has all my data, and it does an encrypted cloud backup every night. I don’t have to remember that or make sure it gets the latest changes, because it’s always running and always up to date.
It’s also just a fun little hobby to tinker with it and figure things out.