We shouldn’t make decisions on ‘feels.’ Why do you believe it to be insecure? Those aren’t the questions you need to ask first.
What is your goal?
I ask this as it matters to the answer - Do you want to learn more about selfhosting and Linux? Do you want to learn more about Home Automation? Do you want to learn about Zigbee?
There are many different ways to run HA. HAOS, Supervised, Core, Containerized - each of them has pros and cons - you need to deeply understand the difference - else you risk the next noob question - why can’t I have addons in CORE??!!
If you want to run your own ‘equipment’, you use something other than HAOS. HAOS on the other hands is by far the EASIEST way to run HA. So which do you want? Are you more into the nuts and bolts or would you prefer to learn HA and not care about the nuts and bolts so much?
If your answer is I don’t care about the nuts and bolts as much as HA - then you want HAOS, your choices are Pi or VM on the gear you already have because HAOS is an os level replacement.
You could run supervised on the Pi - just word of wisdom - don’t. Not worth the headache unless your hobby is maintaining an OS.
the reason I say it’s your OS install type - not the gear… It’s basically portable. If you’re using a version of the system that supports backups (do it early and often) you can restore a backup of a HAOS or supervised install to another in just a few minutes and everything comes back - doesn’t matter architecture. That includes migration…
If you have the ability to sequester the Pi to a different VLAN or network - you can do it with your other gear too. Grow into your needs.
Addons v. Integrations:
One big misconception when newbies get started is - OH NO I need Addons - I can’t have them with Core. Addons are NOT Integrations. Integrations are modules of code that load INTO Home Assistant to provide access to technology. Addons are Servers and Services that run completely independent of HA but may provide additional utility. Integrations are available in ALL install types. For most ADDONS there is installable code where you could run the same service on independent hardware. So don’t worry about losing access to things by going Core - it again comes down to how you like to MAINTAIN your stuff.
It’ll come down to - do you prefer to run your own docker containers for your extra stuff or no? If you don’t care to be a server admin (like me… I’m in IT all day every day) HAOS - has the system, maintains the OS for you and ‘addons’ are pre-canned-configured containers to get you extra functionality. You get Addons in Supervised too - but that’s not for the faint of heart. If you want to run your own OS AND like maintaining the other software - then you want Core or Container - but you have to maintain your own docker images for all that ‘extra’ stuff.
Yourt network config and choice of how you expose your install to the world (Internet access, IoT subnet, etc) is also independent of the gear, so you could in theory, START on HAOS on that Pi. be up and running in a couple hours or less today. When you feel you’re comfortable with how it all works transfer it to different gear. Or stay - your choice.
My personal suggestion - small install on the pi, learn the ins and outs of HA and the nuance of Zigbee before trying to also include it in a self-host environment. Get it rolling, figure out the network, etc. If you want to move it later - then just move a VM of HAOS into the selfhost environment, restore the backup and then correct the virtualized hardware specific issues. It’s too easy to mess up a HA install without also worrying about the intricacies of the OS or hypervisor. One step at a time.