Security is always a compromise. If you want to access your homelab from outside (eg keep your documents in own hands), you have to open a way. Opening your own VPN endpoint or an SSH port is also non-zero risk, imho
Not intending to drag on comments, but I would argue running a basic Wireguard VPN on a central VPS (old hub and spoke) near your city, is more secure and faster. The attack surface is minimal, you have better control over firewall etc.
Mesh VPNs shine in small businesses with many users, where ACLs, SSO etc become useful. In home labs, a basic Wireguard server works fine.
I think mesh VPNs and VPS-based solutions are the same in terms of privacy. They all involve third parties that you have to trust. Mesh VPNs might even be slightly better because it uses P2P connections whenever it can.
The best solution IMHO would be to use mesh VPNs and secure inter-node connections with an additional layer of encryption. SSH and TLS should cover most use cases here, and both are widely supported and easy to set up.
Mesh VPNs shine in small businesses with many users, where ACLs, SSO etc become useful. In home labs, a basic Wireguard server works fine.