So what did you end up doing?
Option 3: open a port in my home router and use a reverse proxy. I disabled password authentication to reduce a bit the security risk (Only OAuth is possible).
https://immich.app/docs/guides/remote-access/#option-3-reverse-proxy