Not everyone is a techie and can self host. You'd also need to self-host at home (even more of a pain). And anyhow, even if you are hosting at home, an internet connected server is much more of a target than a usually-behind-NAT phone.
It is not externally accessible... only the home VPN is (I'm also using DDNS just in case my semi-static IPv4 changes). But of course nothing is 100% secure.
Sure, if you have a VPN that's probably fine. Though this is another piece of tech you need to setup, and thus another barrier for non techies. That's why encryption (secure by default) is better than having users know how to securely setup things, and even needing to know that it's a concern.
