The others already have a lot of material you can go through that will help protect your immuch instance. Some things I would further recommend looking into:

• Keep Immich up to date. But also wait at least a bit before upgrading. Both old and very new versions can contain vulnerabilities. With immich and it's release process I wait at least a .week before upgrading a minor version (2.X.n)
• Exposing publicly makes you at least as vulnerable as the exposed app. So always try to get a feeling for how aware the devs are about security. Immich already has a good stance.
• Try to build some form of monitoring. I have Caddy as reverse proxy that exports metrics about the served domain where I can track and alert myself, when there is unusual activity on my immich domain.