That's fair. Also security is not a boolean. Umbrella is disclosing know weaknesses. Seems responsible to me especially when dealing with money. 

I would not call these node packages holes but rather attack surface. 

kepford

bitcoin_beginners

I want to run my first node but am overwhelmed by the choices

boisechampion

If you don't install anything besides Bitcoin Core, then you certainly don't need umbrel. But even umbrel doesn't think umbrel is secure, see: https://github.com/getumbrel/umbrel/blob/master/SECURITY.md

Docker is one example of a 3rd party vulnerabilities, but imo the biggest security hole is node.js packages. I assume Umbrel learned their lesson and no longer set a default password. This pw used to be "moneyprintergobrrr" and plenty of people lost sats because of it, and more than once