Self hosting is much more accessible today. The security issue has not been solved yet though. How do you make available your services to other people?
People won’t install VPNs. They are usually okay with authenticating to a web server, so you can put authentication with something like Authentik in front of your reverse proxy. But can you configure this front end security correctly and patch it, and are you sure it doesn’t have easy zero days?
Your employees/contractors will install your VPN if it's a contingency of employment. If you don't need to serve to the world, this step dramatically limits your attack surface, though you should still use Authentik and TLS.
front it with a cloudflare tunnel
waits for the pitchforks and torches
CF terminated TLS and scans the traffic. It makes sense if you host your services on a VPS.
If I run my services at home, I don’t want to provide Cloudflare with access to my data.
It also makes sense if you run public services at home
Public in the sense that the actual content is public (like a blog), sure, anyone can access it, so does the reverse proxy). Since it’s public, I Would still take the trouble entirely out to a provider.
Public in the sense that the front page is public, and the client still need to authenticate to the service at home, in this case, that does not make sense (the user authenticates to reverse proxy, which authenticates to the service), for the reason I mentioned.