Their setup sounds similar to mine. But no, only a single service is exposed to the internet: wireguard.
The idea is that you can have any number of servers running on your lan, etc... but in order to access them remotely you first need to VPN into your home network. This way the only thing you need to worry about security wise is wireguard. If there's a security hole / vulnerability in one of the services you're running on your network or in nginx, etc... attackers would still need to get past wireguard first before they could access your network.
But here is exactly what I've done:
Bought a domain so that I don't have to remember my IP address.
Setup DDNS so that the A record for my domain always points to my home ip.
Run a wireguard server on my lan.
Port forwarded the wireguard port to the wireguard server.
Created client configs for all remote devices that should have access to my lan.
Now I can just turn on my phone's VPN whenever I need to access any one of the services that would normally only be accessible from home.
P.s. there's additional steps I did to ensure that the masquerade of the VPN was disabled, that all VPN clients use my pihole, and that I can still get decent internet speeds while on the VPN. But that's slightly beyond the original ask here.