I now understand why Lemmy is called “link aggregator” software

If you port forward to your Pi, only your Pi will be exposed. But, if your Pi gets pwned, it can in turn attack anything next to it. Safest is to isolate the Pi on it’s own subnet or a DMZ if your router has the functionality.

Of note, many home ISPs block standard server ports like 80 and 443. You might need to use non standard ports like 8080 and 8443