On simple home routers, when you open a port, it is open for everyone. There are plenty of people who do port scans and they scan every port on every IP that is Internet accessible. So someone somewhere in the world has probably already seen that the port you used is open and have already tried to access it. Depending on how you authenticate and how complex it is, they may already have accessed it. A VPN would allow you to access it but not others since a port is not readily open like how you have it now.
At my place, while I have port forwarding, it is locked down. Either from certain networks on the Internet or just a geo-location basis; like USA only. I also have logging and alerting, so i know when someone tries to get in along with an IPS and too many tries will trigger the IPS to start dropping that traffic. Someone that stumbles across the port being opened sometimes are not to sneaky and just try the brute force attempt at a high rate. I have my home automation on the Internet, it sits behind an IPS and a WAF. I also use geo-location blocking. I also have 2FA setup and you get two tries before that IP gets banned. I also don't allow things like TOR exit points or open proxies to access it either.
So it is all up to you how secure you want to make something.
As a side note, you also have people that port scan the Internet for research purposes. They collect the data and then make money off of it. Here is an example:
https://www.shodan.io
Some of this research also can cause issues since someone looking to infiltrate whatever they can, can use those research results and just use it to find their targets since the port scanning was already done. I block these research scans and some will even allow you to request your address to be in their do not scan list. I have contacted and have been removed from about two dozen "research" scanning projects.
At my place, while I have port forwarding, it is locked down. Either from certain networks on the Internet or just a geo-location basis; like USA only. I also have logging and alerting, so i know when someone tries to get in along with an IPS and too many tries will trigger the IPS to start dropping that traffic. Someone that stumbles across the port being opened sometimes are not to sneaky and just try the brute force attempt at a high rate. I have my home automation on the Internet, it sits behind an IPS and a WAF. I also use geo-location blocking. I also have 2FA setup and you get two tries before that IP gets banned. I also don't allow things like TOR exit points or open proxies to access it either.
So it is all up to you how secure you want to make something.
As a side note, you also have people that port scan the Internet for research purposes. They collect the data and then make money off of it. Here is an example:
https://www.shodan.io
Some of this research also can cause issues since someone looking to infiltrate whatever they can, can use those research results and just use it to find their targets since the port scanning was already done. I block these research scans and some will even allow you to request your address to be in their do not scan list. I have contacted and have been removed from about two dozen "research" scanning projects.