How would they enforce this on open source projects without companies behind them?

This doesn’t require the user to be able to block, it’s required that there is the ability to block a user from the system in general.

Its a surprise to me that a reddit post or any kind of random text blurb can be used as an admission of anything. What if the guy simply says I made all that up for fun? There is no requirement for text written on the internet to be under oath. Edit: fixed spelling oauth -> oath ;)

Yes you should be worried. Dont expose services you’re not able to keep up to date and know how to manage and secure. Using tailscale is a great alternative as it allows you to have access without exposing anything to the internet, I’d prefer that. For everything else, subscribe to a CVE service for those (I use nextcloud and matrix and follow all security findings) and be ready to take them offline as soon as a critical exploit appears. Dont expose your passwords directly to the internet - ever; no matter if anyone else tells you its OK.