OctoPrint is not designed for security, it is not audited or looked at by security researchers and we make no suggestion that the built in authentication will protect you. It is always advised to use some other form of authentication that is designed with web security in mind. Even a reverse proxy is better.
OctoPrint previously did not have authentication, then it had optional authentication and now it has mandatory authentication setup to provide the bare minimum because people still would not listen about exposing a device with heaters & motors to the public internet. If someone were to gain access to your OctoPrint install, they could start a fire with your printer.
This topic has been discussed at length across the forums so please use the search to find previous discussions.
We recommend solutions such as a VPN or remote access plugin (those that tunnel to the OctoPrint UI are most popular) because they very easily provide their own security around OctoPrint, so yes you shift the potential of 'what if XXX got hacked' elsewhere, but to software that is designed to better withstand attacks. You could set it up securely yourself, but we would generally not recommend it because of the knowledge of web security that is required first - I would rather people went easy & secure, than hard and mess something up.
This is not how OctoPrint works unfortunately, your OctoPrint server must connect directly to the printer. Without an extensive rewrite of OctoPrint's communication layer, you will not be able to host OctoPrint remotely from your printer.
I'm new to OctoPrint and 3d Printing, but still OctoPrint just sends/receive gcode from the printer, so having middleware in between should not break OctoPrint functionality, assuming that middleware is doing it's job correctly.
I'll open new thread for this when I gather more info, it's still just an idea.
Middleware between the pi and printer is not going to do anything but cause printing issues. Octoprint needs a direct, uninterrupted, unfiltered connection to the printer. Anything that could cause even the slightest pause in the comms will cause artifacts and/or print failure.
As stated previously, you need to use a secure connection if you want remote access.
Further to the other posts, when you open a port to the internet it is a invitation to the port scanners to come and find your, then probe the port for every published, and unpublished vulnerability. Have a look at your router log for dropped incoming connection attempts, the number of entries in the logs will be scary. This is how DDOS attacks are made, using unpatched devices that are open to the Internet.
So don't, but I think you understand why.
[In my previous life, one of my responsibilities was for the security of services delivered over the internet, and its hard, even with intrusion detection and full blown firewalls with cyber experts doing the support]