Long story short both my with and I have work VPNs on our phones that need to be enabled at all times and therefor a VPN for our own network isn’t a viable path (sure wish there was some sort of VPN per focus mode type option but alas). What is the next safest option for us to expose a few core services (Immich, Paperless, etc.).
The safest is simply to not expose at all and we’ll definitely be doing that for the majority of our services.