The current Nabu Casa Remote UI feature blindly forwards the TCP payload to your in-home server. This means any vulnerability in the home-assistant code base can receive packets directly from the internet. This is not a security best practice.
I’d like to see a method for the remote UI to be authenticated on the nabu casa side, and then only after authentication is successful will packets be forwarded to my in-home server. This complicates the ability to provide end-to-end encryption obviously, but it permits a far greater level of security within the home implementation. It even affords the opportunity to perform 2FA on the initial auth, so an attacker would have to either compromise the Nabu Casa proxy, or compromise the 2FA system in some way, to even begin data transfer with the hass daemon in the house. This raises the bar for compromise significantly.