Some systems support MFA eg vaultwarden. For that I use the built in MFA with Yubikeys.
For things that are not MFA supported but I need them to be open I put them behind Authelia and Nginx Proxy Manager.
Authelia config makes sense now. It was confusing at first however the custom config required on NPM still confuses me.
Anything else stays off the internet and I can access via vpn back into my LAN.
Orion Browser allows full extensions such as ublock origin. That helps but I found even if the steam plays on the iOS device the Airplay stream won’t work due to some odd encoding the website is doing.