My point exactly.
HA was not initiating anything. Some random Chinese hacker probably tried “something” on port 8123 of HA, and the “upload” is likely some error message from HA.
OP should check his HA logs, for error messages.
I have two errors near that timestamp:
2021-11-05 16:39:23 WARNING (MainThread) [homeassistant.components.sensor] Updating cryptoinfo sensor took longer than the scheduled update interval 0:00:30
2021-11-05 18:38:17 ERROR (MainThread) [frontend.js.latest.202104073] https://[edited out].duckdns.org:8123/lovelace/default_view:0:0 Uncaught
This seems credible, actually. If this is the case, my Firewalla did what it should 
I will keep monitoring what is going on, I will post here if any new information surfaces. For now, thanks all, for your help!
Well, that depends on how you look at it.
Your firewall did what it was designed to do and that is to let the traffic through, but report it.
It did not stop the China IP from accessing your HA installation and exploit any security holes it found.
Your firewall and NAT just looks at the traffic based on what is in the packet header and not what is inside the actual packet.
Right now your firewall and NAT is set to allow the traffic to HA.
You can limit it somewhat by blocking access from certain IP ranges, but its a tough job to maintain that list.
As it is now traffic goes straight to HA and although HA is most likely designed with security in mind, it is a complex beast and there are many configurations with addons and integrations, which leads to many pitfalls that can turn into security holes.
The general advice is to use a VPN to get access to the internal hosts instead of just a port forward on the router.
A VPN setup is focused only on creating a secure and private connection into you LAN for only those that have the right credentials.
Good addition, luckily my Firewalla has such an option. I will dive into that to make my home network a bit more resilient. Thanks again for your help!