This applies to any service or device that you run. NAS is no exception. Your printer could be hacked, if you exposed it to the Net.

Data can be accidentaly deleted anywhere, cloud providers or your own storage. You must make backups anyway.

An exception is when you have a completely isolated LAN that's not serving internet-connected computers. But that's pretty spartan.

Unless you are targeted, that's very difficult to achieve even in slightly secured networks (i.e. every possible toggle in settings is not ON).

When you are targeted, it does not matter, whether you use Synology or Dropbox, the approach is tailored to your situation.

These devices are so common that it is cost effective to do against a bunch of device+vuln combos in a mass drive-by fashion (served by compromised or shady ad networks or any of the other 100 methods that get you to follow a bad link).

Or there's going to be another taiwanese device or PC compromised on your LAN and it'll automatically portscan & metasploit all your network in 5 minutes.

Also don't think getting "targeted" means you have to be James Bond-special. It can mean someone found a prominent blog they'd like to inject their rogue ads on. Or you pissed someone off online and they got some script kiddies to spend 10 minutes to ruin your day and get their laughs (or $20 in bitcoin).

Dropbox's security guys will detect these after they get used a few times (before they get to you), unlike your taiwanese NAS vendor who will only do something half-assed 2 weeks after it hits the news. Or nothing when it doesn't hit the news, as often happens.

All in all the mindset that you have "LAN" or "intranet" that's a significant security perimeter is outdated even if you're nobody. Don't make a network that's "hard and crunchy on the outside, soft and chewy on the inside".

But your point is valid.