For what it's worth I have been running my own things since the 90's and not yet compromised. I disable the CPU mitigations and have a minimal firewall configuration. I do keep things patched and keep an eye on news regarding the public services I run but only enough that I can still call it a hobby. I try to only expose daemons that have been battle hardened on the internet for decades. In the early 2000s I ran phpBB and that was a little risky and did require hardening php.ini

There really isn't anything utopian however, it's just a hobby and a way to let friends communicate without big brother putting their peanut butter in our chocolate. If you don't feel comfortable tinkering then of course don't. Never feel pressured. One can always start off sharing their services with a few friends and not advertise it globally. Find a hacker friend that can help pen-test your stuff. Perhaps even restrict access to your friends IP addresses or the CIDR blocks of their ISP's to limit access. Or use wireguard to restrict access to a VPN. If it's a web daemon just adding simple authentication with obscure usernames and good passwords in front of it will get nullify most of the bots until one is comfortable sharing it with the world.

Probably one of the riskiest things I have set up was just this week exposing Unbound DoH to the internet. Unbound has had a handful of security issues in the past. The HN crawling bots are getting confused by this weird thing listening on port 443 but they just can't figure out how to connect to it. If it gets popped I will just nuke that VM and revoke the cert. There's nothing sensitive on it.