Let's clear up a few things. First Unraid OS is an appliance like your router. There are no "users" in the traditional sense, there is only an admin login. In our case instead of using 'admin' username we just left it as 'root'. We could create an 'admin' alias for this login but it would still be 'root'. Hence enabling Remote Access is similar to enabling remote management on your home router. In both cases you are advised to create a strong password.
Unlike your home router however, with Unraid you can examine the code that handles authentication. At present we implement rate limiting in nginx to mitigate brute force attacks. You can also select a non-standard port for SSL traffic.
Another mitigation would be to implement a failed password count and back-off timer, e.g., you can configure up to N times to enter password, after that it's locked out for X minutes (this is not implemented yet).
Another mitigation would be to implement 2FA on the Unraid login.
Let's suppose we have these additional mitigations in place. If your server reboots for some reason while you are away (perhaps power failure/restore), here's what you would do to get things going again:
login to forum: specify username, password, enter 2FA code from your phone.
click server remote access link: specify password, enter different 2FA code from your phone (once implemented)
enter encryption password, click Start to bring up array
enter flash backup encryption password, re-enable automatic flash backup (once implemented)
start any services which are not set to autostart
To me this seems fairly onerous but in the interest of maximum security, is probably what has to be done.
Of course you don't have to use Remote Access feature.
Being nonchalant is absolutely not the case. Security feedback is very much appreciated and the reason we have released this "early access" feature as a plugin, so that we can easily make changes and so that everything is visible.