The issue isn't WireGuard, WireGuard is secure, and the services listed above are built on top of it, although they make things easier with centralized management. The issue is in the DDNS, there are many issues with it in terms of security (1), along with PF, you can look them up online, but the short answer goes back to the fact that you are exposing an internal service to the public internet, all it takes is some crawler/mass scanner/etc to find your running service and poke it. So, for example, if your home server is running CCTV or network storage service, accessed through DDNS, and the attacker found an exploit in that service, all your data is now under their mercy. The best risk management strategy is always avoidance, not mitigation, so if you can avoid any risk by never exposing it online and only access it through internal VPN, and maybe plus a reverse proxy, then you are set.

(1) https://nextgeneration.digital/blog-dynamic-dns-security-con...