To be clear, the storage app is not bound to the port, rather it’s a VPN server.

It’s how most companies operate (RBAC behind a private key challenge).

Exposing anything to the internet carries intrinsic risk, but exposing a VPN door is among the least risky of the available options, if internet accessibility is an essential feature. The only realistic compromise vectors are private key disclosure, bad VPN configs, or operating an outdated version of WireGuard with a known vulnerability.

What I do is use L2TP/IPsec VPN to phone into my home network and then login and use Synology NAS "locally". There's no inherent need to open your NAS to the internet if you don't want to.