That's what I do. I have Wireguard connected on my iPhone at all times.
LLMs became so good that I don't trust a codebase like Immich to have ports to my server exposed publicly.
I put everything behind Wireguard to limit the number of lines of code that might bring down my setup.