It's not so bad IMO. I self-host a lot but I use a mesh VPN, tailscale to get to it. It's much safer not having my stuff exposed to the whole internet, I don't need to have incoming ports open, I don't care if my IP changes etc.
Yes. They run public DERP servers. I'm no longer on an ISP with CGNAT, but never had an issue - marginally (like 10%?) throughput penalty, but not enough to notice with only a few users. I understand you can run your own DERP, though I never had the need, and it Just Worked.
