Docker bypassing ufw is very bad

If you disable password authentication, and use public key authentication, yes.

How do you compare Caddy with nginx proxy manager?

Yes. For example, I want to share all emails on a particular person.

The emails can be easily browsed, searched, etc. I don’t want to share my entire inbox.

Is paperless-ngx useful for this too?

You are doing it wrong: SSH with key authentication is the most secure piece, and could even be public. Immich and Jellyfin surely have zero days and should be behind VPN

If you are not familiar with VPNs set up, then use Tailscale. If it can make direct connections, you are done.

Otherwise, run a Wireguard server on VPs