Yea, I think that’s how it works too. I guess my question was more a misunderstanding of how DNS works, thinking that the HTTP request was sent to the DNS server and then forwarded on once the public IP had been obtained. Rather than how it actually works returning the public IP to the user who then makes the HTTP request directly to the public IP.
So yes, looks like you just need to worry about the concerns you raised, which are standard for any web application or server. Which should be mostly mitigated by using the HTTPS protocol which looks fairly easy to be added into Flask!
I wasn’t really aware of VLAN but after a bit of research not sure I’ll be able to use it. Firstly, I don’t think my bog-standard internet router has the functionality. Secondly considering it seems device specific rather than program specific and my raspberry pi is also hosting my Plex media server which needs access to the local network, not sure it’s applicable? Might be worth getting another raspberry pi for security?
Thanks again for your help!