For best practice, my personal recommendation would be to not have any service public facing besides a VPN that requires MFA. segment self hosted services into separate VLANs based on how sensitive the content is. Disallow all traffic between VLANs unless required and only allow based on port number, specific resources needed. Don’t forgot to disable outgoing Internet access unless required. Devices like Chinese made video cameras should never have an Internet connection.

My network looks something like: home vlan, work vlan, Netflix \ hulu streaming devices, cctv, wireless work, wireless home, wireless guest, iot, servers, network management. Would be way overkill for vast majority of people, but I would be hypocritical not to considering what I do and I do have a different threat profile than most.

Another thought: self hosted through VPN with MFA and nothing public facing is probably safer than cloud as long as you have cold backups.