Honestly, the safest move is to keep these files totally separate from your personal stuff. Running them in a VM or dedicated hardware is really the only way to avoid getting hacked.

What about mTLS? Since you are already on Cloudflare, you might consider their client cert feature, which blocks all incoming traffic without the cert. However, you do have to manage it and set it up on all your devices.