This is a pretty good summary. In enterprise networking, it’s common to have the ‘DMZ’, the network for servers exposed to the internet, firewalled off from the rest of the system.

If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.

This helps limit the damage if a malicious actor hacks into your webserver by making sure they don’t also have unrestricted access to other parts of your system. It’s called a layered security approach.

However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it’s configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.

Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that’s useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn’t exist anyway. That’s not inherently bad. It comes with the territory when you’re hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it’s about managing risk and different network configurations have different levels of risk.