browsers can have security vulnerabilities in their complex parts that grant the website powers it shouldn’t have. depending on the kind of vuln, it could enable readout of browser memory contents (like cookies containing access tokens), modification of it, execution of arbitrary program code supplied by the site, etc.

clipboard history is different from the system clipboard. it works the same way on kde plasma, probably windows too. it depends on the keyboard on android to clear it from the system clipboard too, it seems the samsung keyboard devs did to bother with this

you start with authenticated things, like forgejo and such, and always double check that anonymous visitors don’t see any data.

but generally it’s also not wise to just expose most services to the internet. jellyfin for example had lots of leaks because lots of API functionality was accessible without authentication. I don’t know if it’s been fully fixed.
expose a wireguard, it is safe, it is security software, and access everything else through it. you can keep using your domain for internal services.

with copyparty there’s an added risk. if police finds you hosted child porn, they won’t care if it wasn’t you who uploaded it. someone reports it to them, they steal all your computers, worst case you can even end up in jail.

ah yeah, I’m always dancing when hacking gov systems