If you’re properly using HTTPS/TLS, and have appropriate firewalls in place, then yes, you’re correct - the risk is significantly reduced. At that point, it basically comes down to your preference: is the additional maintenance burden of a VPN worth the reduced risk of some unknown exploit in Ignition compromising things. In pretty much all respects, the VPN is the “safer” option - I can’t make the decision for you, but if you don’t have a compelling reason to, I would be pretty cagey about exposing a gateway to the internet.
As for Ignition itself - we have conducted (and passed) external security audits before, but there’s still a matter of attack surfaces. Something like OpenVPN has gone through hundreds of times more testing than Ignition itself, so the theoretical probability of a vulnerability is therefore probably lower.