Heh, I'd happily do so with ssh, assuming passwords are disabled, it's the current openssh, all other ports blocked, and only key based auth.

However I wouldn't let the random vendor webstack with cloud sync anywhere near anything I care about.

Nothing paranoid about some healthy caution. The synolocker fiasco proved that NASes are not as bulletproof as some imagined.