“Configure port forwarding” covers pretty much all of the steps. I don’t think that it would be any less secure than quickconnect through a relay, but if security is a priority, then look into setting up a VPN to your network instead.

You say you’re using QuickConnect, do you know if you’re getting a direct connection to your NAS or one through QuickConnect relay service? Maybe try opening the required ports and checking again.

Cockpit is quite mature and sponsored by Red Hat. Your users can log in with their normal account on the system which you can lockdown however you want.