My requirements are rather simple, and I went with the following:

1. I've installed Tailscale (Mesh VPN) on my server and all of my devices that'll connect to it.

2. Since I'm using Windows 10 Pro as my host OS, I've blocked all incoming connections from IPs other than my LAN and VPN addresses in Windows Firewall on my server.

2a. I've run a port scan on my server's external IP address to ensure that all ports are blocked to the outside world. They are.

1. In my server applications, which are Emby for music and movies and Logitech Media Server exclusively for music, I've blocked all incoming connections except those from my LAN and VPN addresses as well. While this isn't absolutely necessary, since addresses other than those would by blocked by Windows Firewall, I like the double layer of protection.

Regarding the overlap in server applications with music:

I've LMS configured to perform server-side DSP, which I run for Volume Leveling, Loudness Compensation, and Speaker/Room Correction EQ. However, it does so and presents me with a 24/48 FLAC stream as a result. This is fine on my LAN, but not suitable for cellular as I don't have an unlimited data plan due to the expense of it in the country where I reside. Therefore, I remotely access Emby since it serves the music as is - which is high bitrate *.mp3 and *.m4a in my case - and I'm running Synfonium, which performs client-side DSP, on my mobiles. The trade-off is a tiny increase in power usage, but with larger batteries and fast charging, it's not an issue for daily use.