Speaking as someone who decided to "just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface", and was using 2FA, and subsequently fell victim to a ransomware attack:
Do not expose any port on your NAS to the internet.
If you really want it available to you when you're away from home, set up a VPN using a separate device as the VPN server.
Speaking as someone who decided to "just be a consumer and trust that my NAS manufacturer had appropriately hardened the login interface", and was using 2FA, and subsequently fell victim to a ransomware attack:
Do not expose any port on your NAS to the internet.
If you really want it available to you when you're away from home, set up a VPN using a separate device as the VPN server.