Normal domain only for allowing others access to specific services (like friends+family into emby/plex/jellyfin). VPN for easily secured access to all the backend interfaces like radarr/sonarr/qbittorrent or private services like vaultwarden.
I also run the VPN to keep mobile devices behind pihole for adblocking.