I’m a network engineer and >15 years of experience in IT. It’s never “safe”. Not even in corporate IT. You’re a home user and it’s less likely you’ll be targeted but bad actors do comb the internet for known vulnerabilities. Patch your shit, limit exposure, enable MFA on everything. I don’t run it, but I feel slightly sketched out not behind something like a Palo Alto. But again I’m just a small potato in a big sea and I patch everything.

There will always be risk. Just do what feels right for you. Follow beat practices.

I use a reverse proxy and client certificate authentication for anything I expose. That requires me to pre install the client certificate on all of my devices first, but afterwards they can connect freely via a web browser with no further prompting to authenticate. Anybody without the client certificate gets a 403 before they even get past the proxy.

There are limitations to this and overhead of managing a CA and the client certificates for your devices.

It’s only bad practice if you don’t keep up on vulnerabilities/patching, don’t have any type of monitoring or ability to detect a potential breach, etc.

The nice thing about tucking everything behind a VPN is you only have one attack surface to really worry about.

Not bad practice just not as secure.

You can’t beat the security of not exposing it but sometimes you need to so then you need to mitigate it with certs, reverse proxy or VPN.

It depends on what you need and what your thread model is.