Anything you expose should have at least 2 layers of authentication in front of it. Do not trust the login pages for your services will keep everyone out and assume that someone has already found an exploit to allow access. Plex is the only service that I run where 2FA is not possible, but everything else should have layers of security. Things like management UI's (Unraid, NPM admin page, etc.) should almost never be exposed to the internet.
I would always be thinking of ways to provide the least amount of exposure possible. For example, instead of exposing sonarr/radarr separately, just expose Ombi behind 2FA to limit the overall attack surface and total number of exposed ports. Argo tunnels are great, but 2FA is the real winner when it comes to security. Cloudflare has a lot of great security features built-in, but where there is a will there is a way.