I’ve had my VPS exposed to the internet for a while and never been pwned. No professional experience. Use SSH keys, not password authentication. Use FDE if physical access is in your threat model. Use a firewall to prevent connection on internal-only ports.
Vaultwarden will store your passwords encrypted (obviously) so even if your database does get stolen, the attacker shouldn’t be able to read your passwords without your master password.
I know about Tailscale. I don’t use it because I want my VPS to be exposed to the internet; some of my services are supposed to be public. And those that aren’t, have their own authentication systems that are adequately secure for their purposes. I just don’t need Tailscale so I’ve not bothered with the setup.