whats the risk with a static site genuine question? All I can think of is a CVE in html or nginx that seems pretty rare to me. If you're extra paranoid you can isolate the pi on your network.
imo it's not setting up the site once that's the problem, it's keeping it maintained indefinitely without making mistakes, because hostile automated systems will keep on rattling the doorknob like Jurassic Park velociraptors. (And I agree, for sophisticated users keeping it off your home network goes a long way towards preventing worst-case outcomes.)