From my understanding you can run into issues when you have a combination of ports being forwarded and some other issue like SSH enabled on a Raspberry Pi with default credentials but I feel like I’m missing things or misunderstanding port forwarding.
I don’t know if, for example, a computer connected to a network running a dated version of Windows is a risk simply because it is connected to the network. Even if it isn’t being used for things such as web browsing.
I’m more concerned about remote threats versus local ones like someone having access to my WiFi password.
If your port forwarding ssh and ssh is using default creds you shouldn’t do that. Change those credentials.