And to be honest, I wouldn't expect Unraid to be fully hardened; its a risk/reward balance the end-user needs to accept.
Having done quite a bit of reading over these forums, my biggest concern is that the developers seem to have a head in the sand attitude to security. Yes, I fully accept that an Unraid box should never be connected to the internet, but the threat landscape has changed significantly recently and software running on an internal LAN needs to be implemented accordingly.
There seem to be quite a few security threads where the developers haven't bothered to reply when the questioning got too hard; my direct question above is another example (despite them answering other threads, proving they are online...)
I would be more concerned.
If your PC were to be infected with botnet software, it may not be apparent, but the attacker has full control over your PC and its network stack.
This could be used to scan the internal LAN for Linux hosts with open port 80 -- yep, thats Unraid.
The attackers can then directly attack your Unraid Linux box, using the Windows botnet infected PC as a lever into your network.
Its not just Windows PC's. Check out the recent huge Merai DDOS attack that compromised IoT devices (IP Cameras etc). The leaked code for Merai is freely available for download and I'm sure there are plenty of people using it to gain access to private LANs through an insecured IP Camera.
This is what I mean by the threat landscape has changed recently - the threat is now inside as well!
Don't get me wrong, i think Unraid is excellent. It ticks all the boxes I need for the in-laws media server and with the docker and KVM implementation, I'm even considering it as a replacement for a few ProxMox test servers, but reading the other threads on the forum makes me question the security commitment.
I guess spending time adding eye-candy and stuff like that is more profitable than mundane security stuff, which is a very short-sighted approach.