Attached to HomeKit, so the devices outside of the network need to use iCloud and HomeHub (Apple TV, HomePod etc) to bridge into the network.

In short your phone kindly asks an Apple TV (within your local network) to execute a device command on its behalf, via iCloud.

If you trust Apple to get their device-to-device auth and crypto right (which is the same stuff that power iCloud Keychain), then you can trust HomeKit to not expose your home devices to randos on the internet.

I do the same thing, so I understand the topology - that’s why I pointed it out, your Apple TV can be made a trojan horse, as it were, for example if there is a 0-day in tvOS. (And you have to assume that there are.)

I’m not saying it’s likely you’ll be targeted, I’m just saying the actual security offered by this setup is not very good.

> If you trust Apple to get their device-to-device auth and crypto right (which is the same stuff that power iCloud Keychain), then you can trust HomeKit to not expose your home devices to randos on the internet.

I would rather host a Wireguard VPN on my home network...

I've got a vanilla Wireguard host that terminates connections for my local network but I've been thinking about trying out firezone [0] as it appears I can better segment (with firewall policy) those connections terminating to the host within one UI.

[0] https://www.firezone.dev/

Didn't know that project. Sounds like an opensource Tailscale with more features. Love it, thanks for sharing!

This would not work with Siri which is the requirement to open a garage door hands free by voice with your iOS device.