The Most Secure Unattended Access?

Hi,

I am wondering what the most secure unattended access method would be in under following contitions:

1. My office and my LAN is very small and comprehensible. Only me and sometimes an assistant is working there. There is only one desktop computer, two Laptops and a NAS.
2. I have an OpenVPN with certificate authentication plus user authentication with strong passwords (40-50 characters made by a password manager). So two factor athentication. Only I have access to the VPN.
3. The firewall is closed only the VPN can enter to the LAN.

Therefore I don't really want to open another door for TeamViewer even with "easy access" and no passwords and access only through the account. If somebody manages to steal my iPhone or MacBook and hack into it... The TeamViewer app is there, probably logged in to the account. The devise is verified. Also the 2FA app is there. So the remote access is only a view clicks away and with no restrictions. Is TeamViewer account really so safe? Would it not be possible for a hacker in the future to hack it? With "easy access" as soon as you managed to enter the account you are free to access the computer without any further security control. Therefore I try to evaluate following three remote access methods with each other.

1. "Easy Access" with no random password and no personal password. Access only through my account.
2. Personal password access with 50-60 character long passwort (made by a password generator) and with whitelisting only my account. Then the machine also should only be accessible through my account plus it is protected with an additional strong password in case somebody manages to hack the account.
3. Limit the TeamViewer app access to LAN exclusivly plus the strong personal password from above. Then it can be only accessed from my small comprehensible LAN and the remote access is controlled by the strong OpenVPN with certificates and passwords which don't need any third party to be involved. TeamViewer mentions in it's manual that the exclusive LAN connection will be only secured with a symetrical key because the app can't interact with the TeamViewer server. Is this really a security problem? Also the connection through the TeamViewer account will be a symetrical encrypted one after the inicial asymmetric handshake as far as I understand.

Please correct me if I there is anything wrong in my above mentioned concepts and thoughts. What do you think? What is more secure? What are the pros and cons? What did I forget?

Looking forward for your feedback. Thank you.