You are. I'm tunneling a /23 which I let Vultr announce via BGP over WireGuard to a local router VM. I have a nftables firewall in place before routing the traffic through the tunnel. I block everything except for exposed IPs and ports/protocols just to keep my limited bandwidth free of noise.
You do. That's why I wouldn't recommend it to anyone unless they absolutely know what they're doing. Can't tell you how many friends I had to have a talk with who had plain vanilla port forwarding done on their home router, exposing their entire home network to the web.
Nowadays, I recommend them use Tailscale as an out-of-the-box Wireguard-based VPN to safely connect to their home servers from remote locations.
To be honest, as an IT professional you should have basic knowledge about firewalls. nft/nftables is a big improvement in firewall usability for Linux, I also know many homelab people using OPNSense or even DD-WRT for that job. I prefer plain Linux (distro of your choice, I don't judge) and nft.
TL;DR
One should know firewall fundamentals, nft/nftables as successor of iptables is very convenient to use, a single config document instead of interactiving with 100 cli commands which have to be in a specific order.
I always felt like you are painting target on your homelab when you allow outside access.