By hosting services on your desktop, you are increasing your threat surface. Every additional software that you run increases your potential to catch malware. It also requires powering a beefy machine 24/7 to keep the service up, when in reality anything that isn’t a media server can run on 3rd gen Intel CPUs that have relatively low TDP.
I have my 22 port opened on IPv6 only and I can only authenticate with my private keys, which are all added in .ssh/authorized_keys. Fail2ban is configured to keep the bots out but the ban log is empty because there are either no bots operating on IPv6 yet or my IP is so far out of reach it will take the bot a millenium to get to my address.
Some set up WireGuard or another VPN protocol but I like having everything within reach as long as the device I’m carrying has my key on it.
One thing you should avoid is opening your docker containers to the web. If your VPS isn’t behind a NAT (they usually aren’t) becareful when binding ports which usually bypasses whatever firewall configuration you may have because docker writes it’s changes directly to nftables.
https://docs.docker.com/network/#published-ports
Other then that, remember that this is just a hobby (for now) and take a break when something doesn’t work or you don’t understand it. I personally did a lot of mistakes because I was just eager to finish something and I was rushing it.
Docker Engine is open source. They could’ve easily contributed patches to it which just further proves that it is a NIH syndrome response.