Jas If there is one thing we have learned from using NAS in general is that all those who let it be reachable FROM the internet will eventually get pwnd. Moreso the TrueNAS competitors have had the unfortunate realizations that hardcoding password and account recovery via internet aren't particularly smart.
TrueNAS is great. But let something else manage and control both directions of internet traffic. If you need access to any of TrueNAS' components from the internet do that via VPN.
Needless to say that if you plan to go the security route you will immediately have to start look into how to run a small datacenter on a 24/7 server.
If you just want the NAS functionality for your local network then try go to your router firewall and block all traffic originating from the internet and going to the TrueNAS IP-address. Let TrueNAS itself be able to start an internet connection so it can update, install components, send emails, etc.
Regarding rogue 1337 haxors: You should be more worried about what other crap is randomly installed on a machine on your LAN. The best would be to have a completely separate subnet for untrusted devices, and proper routing for only the traffic that is needed for the devices that should have access. So we're again back to quickly running into the learningcurve of running a small datacenter.
I suggest you take some time thinking about what you already know about all this, and which level of security you are okay with. You can get TrueNAS up and running and safe-enough with just a few tricks. Going down the rabbit hole is something others are not done with yet after several decades.
Pick your battles. And most importantly: Verify your own and others thoughts and ideas.