I have my home server behind a wireguard vpn access.
While I am no security expert, or precisely because of that, I still try to follow security best practices for the internal setup if I can.
Of course you propably do not have to be as vigilant as if your services were publicly exposed. But I believe it is still a good idea to have some "defence in depth" and not assume only one possible attack vector, e.g. what if there already is a bad actor on your home network maybe via a trusted device that has some virus. Also a plus is i guss if you ever decide to expose something later on you wont have as many issues.
The only smart people in tgis are the ones selling rhe bunkers. They charge lots of money for a promise that is not even fully complete as described in the article. In the unlikely event of an actual apocalypse, many will not even rech the bunker in the first place and if somyhing is not ready or woking as it shouls there is nobody left to prosecute.