Security is a rabbit hole and you can go very deep depending on your risk model (an ordinary middle class people has different cybersecurity risk than, say, a CEO of a major bank). Let’s say you are an ordinary lemming that don’t have to be worry about being specifically targeted by a hacker group or a nation state, you just don’t want some botnets get into your network and take over your IoT stuff, I think the following is reasonable enough:

• by deploying your HA instance using docker or VM, if it somehow got compromized by an automated botnets / malware, the infection will be contained and you can easily wipe it off and start again. Real hackers might be able to escape the sandbox but run of the mills botnets that always scan the internet for exploits usually don’t.
• setup OTP: https://www.home-assistant.io/docs/authentication/multi-factor-auth/
• you can max out security level of HA login page (or the entire HA) using cloudflare’s firewall rule: https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/ . This should stop most bots from trying to bruteforce your login page.
• assuming you’re using cloudflare tunnel, you aren’t actually exposing your entire machine to the internet, but just the homeassistant port. That being said, it’ll be nice if you take some precaution and disable root ssh login and perhaps disallow password login too, just for peace of mind.

Tailscale is a virtual lan network. When you enable tailscale, you’ll have an additional network and ip address in your connected devices. It’s not actually redirecting all your traffics there, unless you specifically configure it to do so (if you do so, you can designated a device as an “exit node” for your outbound traffic).