As self-hosting is not just "home-hosting" I guess this post should also be on-topic here.
Beginning of the year, bleeping-computers published an interesting post on the biggest cybersecurity stories of 2023.
Item 13 is an interesing one. (see URL of this post).
Summary in short A Danish cloud-provider gets hit by a ransomware attack, encrypting not only the clients data, but also the backups.
For a user, this means that a senario where, not only your VM becomes unusable (virtual disk-storage is encrypted), but also the daily backups you made to the cloud-provider S3-storage is useless, might be not as far-fetches then what your think.
So .. conclussion ???
If you have VMs at a cloud-provider and do daily backups, it might be usefull to actually get your storage for these backups from a different provider then the one where your house your VMs.
The issue is not cloud vs self-hosted. The question is "who has technical control over all the servers involved".
If you would home-host a server and have a backup of that a network of your friend, if your username / password pops up on a infostealer-website, you will be equaly in problem!