It’s typically against the terms of service to open ports less than 1024 (well known ports) of most ISP’s for personal internet. That, and there are bots that probe for insecure and misconfigured stuff constantly. Spin up a VPS and take a look at the SSH logs. What if a zero day vulnerability occurs? Are you going to be able to react quick enough to prevent someone from doing damage?
Cloudflare is nice because you no longer need to update your DNS A records, plus it caches data, automatically enables SSL, and absorbs bot traffic for you. Have also tried the Wireguard + VPS route, but that gets expensive because most charge ingress and egress.
I don’t trust vaultwarden, only on the basis that it’s unofficial and not as strictly audited. I use the container stack provided by bitwarden behind a cloudflare tunnel and backup the data directory with duplicati to S3. Should be able to do the same with vaultwarden, just try a backup test.