I'm concerned about self hosting a service like this as well, so I put mine behind an nginx reverse proxy that requires a client cert for auth. That way, an attacker won't even be able to reach the bitwarden server to try to get in (unless there's a vulnerability in nginx).
You can host it all behind Wireguard. That way, an attacker doesn't have access to your Nginx proxy. After all, why would the whole internet need access to your Bitwarden server (or a reverse proxy serving it)?
