Personally, I don’t expose the port externally, so I’m not sharing photos via Immich right now. I host locally and it is on a proper domain with a lets encrypt certificate, and I use Gandi Live DNS to update the dynamic IP, but my DDWRT router is set up to only allow access from internal IP addresses and my current WAN IP. It does work externally, but like you I am bit vary of it. That doesn’t just apply to immich. I do the same with my Next Cloud.
This is exactly what I do too!