Done it since before I properly knew what I was doing. Haven't had issues. Even though n=1, also now that I'm actually working in IT security, I don't think the risk was ever much bigger than what I could oversee

The main thing is that, if someone gets onto the server system, then they're in my network and they can do attacks on other devices in that LAN (guest wifis are a nice way to isolate that nowadays; that didn't exist back when I started). Same as when I take my laptop to school for example, then others can reach it. I've had issues with others in school doing attacks because the internet was unencrypted http back then (client-side hashing in JavaScript limited the impact though), but not from anyone who tried to hack into the server. Only automated scans for outdated Wordpress, setup files for Phpmyadmin, ssh password guessing... the things they simply try blindly on every IP address. If any of this is successful, you're most likely going to be turned into a spam-sending server or a DDoS zombie; not something with lasting impact once you discover the issue and remove the malware

Most attackers don't do targeted attacks on your system or network unless you're a commercial entity that presumably can pay a nice ransom, or are a high-profile individual. Attackers aiming for consumers send phishing emails and create phishing advertisements, look for standard password vaults if you run their malware, try using stolen credentials on Steam and hope you've got a payment method stored... the usual old things. Having a server doesn't make any of those attacks easier, and besides, self hosting is very uncommon. Even if you and I had a similar enough setup at home with a straightforward path to exploitation, it's a few thousand people that self-host in a country with millions of people. It's not worth developing attacks for