I think the threat model is sufficiently different enough for self hosters versus commercial offerings that it is possible to maintain a comparable level of security to what you'd enjoy elsewhere with significantly less technical training. E.g., I run a home server using a point-to-point Wireguard configuration such that only devices I've explicitly set up with Wireguard can access any of its services. My ports are very quiet.
I think the threat model is sufficiently different enough for self hosters versus commercial offerings that it is possible to maintain a comparable level of security to what you'd enjoy elsewhere with significantly less technical training. E.g., I run a home server using a point-to-point Wireguard configuration such that only devices I've explicitly set up with Wireguard can access any of its services. My ports are very quiet.