Will list a few approaches here
1. Use Zerotier instead of Tailsacle since it's just a matter of the relatives joining the network string through their client devices instead of the usual Google auth/SSO.
2. You can setup a VPS on nearest cloud provider and port forward only the 8089 port using ssh tunneling.
3. Get static/public IP from your ISP and host your server with decent firewall rules.
4. VPS with a Wireguard tunnel and Nginx reverse proxy for LetsEncrypt SSL cert for your domain is a complicated but doable solution too.
On a side note if the sharing is with people abroad/far routing is always going to be an issue.
So no matter your home-server and client bandwidth the actual throughput is going to be fluctuate with high and variable latency.
For security
1. If possible use separate VLANS for the the exposed server and rest of your network.
2. Use unprivileged containers or services when deploying the server.
3. If you plan to use VPS use firewall rules to limit access based on country, IP ranges etc.
4. Session limit your users.
5. Monitor logs for abnormal stuff.