My thoughts exactly--Having a fleet of client-side machinery open to the Internet sounds like a larger overall risk footprint than having one hosted solution. I'm guessing a bit part of this is just customer psychology and lack of education.
Every open3ABox has an open websocket connection to my server. I do the monitoring over this connection and for updates and support I tell the box over the websocket connection to forward a port via ssh to my server. The port will be automatically closed by the open3ABox after three hours.
This means no constantly open port and an encrypted connection where only my server is allowed to do a remote function execution (get monitoring values, open port, etc.) on the box.
That is very clever, I like it. Especially dependency on proven and simple technology. VPN swarm like e.g. ZeroTier which I was thinking about would be too complex and thus harder to maintain.