With ports you have dozens or hundreds of applications and systems to attack.

With tailscale / zerotier / etc the connection is initiated from inside to facilitate NAT hole punching and work over CGNAT.

With wireguard that removes a lot of attack surfaces but wouldn't work if behind CGNAT without a relay box.