Public device link, security and MQTT

We use the public device link in order to access our balenaCloud device which has JWT authorisation.

Having spoken with other companies in the IoT space it seems a common pattern is to use MQTT in order to avoid any external connections being made directly to a device in favour of the device itself connecting to a single broker. This seems like a logical approach however I am interested it’s relevance for balenaCloud.

What are the security risks of enabling the public address? Is there any best practices to suggest that the public address should be avoided in any scenarios? What potential downsides, aside from added complexity, come from using MQTT to broker all communications to an external service?

I welcome any thoughts or experiences especially if someone has changed from a public device address approach to one that makes use of MQTT.