One important thing that hasn’t been mentioned is that the authentication in OH only protects the admin features. It doesn’t protect everything. By default without the reverse proxy, users can access parts of your REST API (e.g. see, update, and command Items) without authentication. Your Main UI can be accessed. And so on.
It does not provide complete auth and auth.
I’ll also mention that most people do not have the technical expertise nor the time required to initially set up and continuously monitor a service like openHAB directly exposed to the Internet. As a rule of thumb, my approach is “if you have to ask you probably shouldn’t be taking on that risk in the first place.” The Internet is a dangerous place. There is evidence that openHAB has been included in the various attack bots that are out there on the internet constantly probing machines for weaknesses. Your machine will be attacked. Do you have the skills to know when it’s under attack, mitigate the attacks, and discover when an attack was successful?