The threat model is different between a small private instance, where you only have one or two users, and a large public one with many users. The ROI for hackers is very different - we need MFA for Joplin Cloud but it's not as essential for Joplin Server, because it's only for personal use.
You can also put your private instance behind a VPN which many users who self-host do. Personally I don't self-host anything anymore because it's too much work to secure everything properly, but if I did I would definitely put everything behind a VPN.