I strongly support keeping the device as independent as possible with all resources hosted locally. I have my device completely walled off from the internet with only access from my local network. It is even on its own VLAN. For remote access, I have my phone connected 24/7 via the WireGuard VPN to my home network and I can do the same on demand for my MacBook. For automation, I run an MQTT server on an SBC linux box (on which I run many services) so an MQTT client on my phone is always available to get updates thru the VPN. The only packets allowed to leave my device are responses to local requests, NTP, and MQTT only to the MQTT server. This gives me ultimate security. I do not want to be loading resources from the internet as a security hole.