I think it is important to know, there is no E2EE (end-to-end encryption) between peers like home router and public device anymore, when using WG hub and spoke. External VPS provider will be able to read all traffic in plain text, if no underlying encrypted protocol as HTTPS oder SSH is used. You need to put trust into the VPS.
I am an advocate of zero trust architecture, hence currently biased towards a more sophisticated FOSS solution like Headscale or Netmaker, which uses NAT traversal techniques like UDP hole punching, STUN etc. or can resort to relay servers otherwise, which to my understanding still leverage E2EE (might be mistaken here).
Not sure, whats currently the optimal solution for home labs… (see also Self-hosting advice )