No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.

To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.

Technotim has a good video on this