Keep in mind that BasicUI has to be able to access the generic openHAB REST API and since BasicUI runs in the browser it means the REST API needs to be exposed as well. There isn’t a /basicui/rest because BasicUI doesn’t have it’s own REST API endpoint.
In this case it’s pretty much all or nothing.
As mentioned, VPN or myopenhab.org will be better options, though even with myopenhab.org. Having recently set up Tailscale I highly recommend it and I think openHABian has an option to set that up.
/basicui/rest could be another facade to the Java code behind /rest
And with the /basicui prefix access could be controlled by the Apache/Nginx before it, and basic auth with SSL could be enforced (or oauth2 if bigger guns are needed)