I have multiple public sites that are running through vpn+reverse proxy, for example, vaultwarden, and it’s more secure because in the reverse proxy I can have rules to pass the connection to specific end points so clients can access it securely but the actual webpage is locked behind SSO. I never encountered a VPN failure, if the connection is up it is up, and it’s an encrypted tunnel too. Another example, if you use something like coolify, you can pair it with another reverse proxy on top of traefic one builtin, and if you browse that service in coolify, your packet is going through an encrypted link all the way to the docker image behind coolify.

Last time I used DDNS i think was around 2012 in an NVR where I needed to access some cameras publicly.