A third option is to set up a Wireguard service and expose the web UI only through the VPN. I use the Wireguard app to connect my phone to my VPN. This solution seems very safe to me. Are there risks I'm not thinking of?
That's definitely better, if done right. I still prefer to avoid port forwarding on my router if possible. The fewer attack surfaces I have to worry about, the better.
