It's a matter of risk management, and your personal situation and willingness to sacrifice convenience to reduce risk. There are many aspects that can increase or reduce risk, e.g. how often a software is updated, if it's open or closed source, how widely used it is, your personal level of relevant IT knowledge, and so on. One central rule is that more attack surface leads to a higher risk of security breaches, and hiding everything behind a VPN reduces the attack surface to just one piece of software that's mainly focused on security. Additional public entry points add convenience but also increase your attack surface, so you have to find a level you are personally comfortable with.

In my opinion and experience, if an app is made for public access, in a production ready state and already widely used, if you trust the creator in general and with security updates in particular, and if you trust your own knowledge and ability to configure it correctly and keep all the relevant doors closed, then it's completely fine to make it publicly accessible in most cases, and the security risks of doing so are way overblown by some people in tech forums.

In your case, the login page behind a CF tunnel with 2FA (and hopefully HTTPS?) enabled and yourself on the lookout for possible vulnerabilities sounds like an acceptable level of risk to me, unless the data on your NAS could start a nuclear war or something.