I used to expose my workstation RDP directly but with a non-standard port. Then I became a "homelabber", and paranoid, and added a mix of nginx with basic auth in front of Guacamole. The UX in browser is so abysmal that I used it to configure direct RDP when I really needed to work remotely when traveling. Then I learned Tailscale and it is really liberating. Just direct RDP with negligible (for me) risks. I run OneDrive, JetBrains Toolbox, Podman just visible in the tray and what else as services, such as OpenVPN, etc. I keep Tailscale running only when I travel. I think paranoia should stop at some point, yet I still read the top comment about security/trust very attentively.