I am fully aware that the option of supporting a subpath in the home assistant url has been discussed and rejected before, and I even suggested this again just now on github which was closed once more. However with the recently disclosed vulnerability I feel that even if not supporting is this is not considered a bug, is still think support for it should be added.
Using an undisclosed subpath is the only way (I am aware of) that exposure to vulnerabilities like this can be prevented while simultaneously still supporting the app outside of ones home without resorting to a VPN.
When using a reverse proxy that only routes when a specific (sufficiently random) path is called you effectively password-protect the entire home-assistant, which completely isolates the installation from anyone who does not know the path. This ensures that no zero-days in the home-assistant webserver can be abused unless you know this secret path.
The same can almost be achieved with a random subdomain if you use a wildcard certificate and dns record, but this has the issue that this domain would leak during DNS requests and also in the SNI part of a request. So this does not seem like a proper alternative to me.