[boringuser2]

You work with reality as it is, not as you'd prefer it to be.

A home router is generally protected on the WAN side.

Your threat model is to secure connections originating from the LAN side, which is the only way a threat actor can establish a connection into a default deny network.

[sneak]

Connections into hosts on your LAN doesn’t gain an attacker anything, otherwise it would be unsafe to connect your laptop or phone to hotel, coffee shop, or airport wifi, and it’s not.