For me I've decided to just have everything behind a VPN. Tailscale and Cloudflare tunnels make this quite easy to set up, dealing with ddns and CGNAT for you.

The upside is the security risk is massively reduced, an attacker would have to exploit both the VPN and the service behind it, both of these in theory being secure anyway. The downside is obviously that you require installing a VPN client to access services, but if it's only you using the server this isn't a huge deal.