VPN to access your HA is more secure than exposing it directly by port forwarding to the internet to everybody. There are various free solutions such as OPNSense for this.
Thanks for that - makes sense to me, just need to figure it out. I’ve converted from SmartThings to HA only recently. I’m very happy about that move, but it’s not for the faint of heart. But I’ll get VPN on my to-do list sooner rather than later.