@Guru_Of_Nothing If you have all of your controls behind your firewall, password protected, you should be fine provided nothing needs to go outside your network for any reason.
HomeSeer has a Raspberry Pi option but there is a cost and is limited to, I think 5 Linux plug-ins. It can run completely local though, requiring no external internet access. If you want phone app access you can create custom touch capable screens but that requires an additional application. You can also access the web page you would use at home and can password protect it as well They have a free phone app which automatically makes buttons for you but I think that requires connection to their web server, which I believe is in the states. I am fairly certain the HSTouch allows you to stay local or can be accessed across the web if you expose it and has the ability to allow for multiple users with different permissions, all password protected. So without needing to write a lot of code it provides a quick hub to control a lot of items. I run it on an old Dell pizza box desktop. Doesn’t require much as far as a system is concerned but with the Windows version I can have many plugins for things like calendar integration, IP cameras, MQTT, control of my A/V equipment, and more.
I cannot speak to NodeRed, Home Assistant, or others. Most of these were not around when I started down this rabbit hole 14 years ago. I know many use some of the open source hub applications but I do not know if they require internet access for anything.
Your MQTT Broker should be a local network item since it is on a RPi. So there should be no fear of it being hijacked unless someone gets onto your network. Note that the RPi running the broker could be in your house and you only need one broker. It is the switchboard operator for MQTT so it just receives and distributes the topics. You could have your arduino in your box subscribe to topics. And if you use different topics on your system than what you post in your code, and also use different IPs than those in your posted code, you are not giving away the keys. Sure, if I could get on your network I could try to find the MQTT broker and then use an app to listen to the topics, but I need to be on when a topic is sent. As for setting dummy settings in your code and instructing others to change it to suit their needs, people do that all the time so anyone coming behind you should have little problem doing this provided you add comments/instructions to do so. In most cases these are constants at the beginning of the code. Bottom line: Don’t confuse the Mosquitto broker with the cloud based brokers out there. It does not require an internet connection to do anything and is therefore as secure as your network. Shoot! It could all be hardwired and on a part of your network not accessible by wifi if you wanted. Especially if you are building any of the MQTT units.
Take a look at what this guy has done: MQTT Wall Controller - project update - prototype in the wall. As I recall he has the ability to send the arduino MQTT codes to change the operations of the buttons on his wall controller. You could probably do something similar to send a new security code. Of course, you could also just have access to the USB on the arduino and connect a laptop to the unit and download new code with an updated security code. That would be a lot less programming and since you can mechanically unlock your box, you should be good. And speaking of that, your biggest security flaw is that I could get to your arduino unit and re-program it allowing me access without you knowing. The only way to stop that is to run ethernet to the unit and put it in a locked metal box inside your delivery box.
Frankly, for your box (I was watching your videos earlier, nice job!) I would be willing to use MQTT to send commands to the unit provided I used a local broker (your RPi running Mosquitto) and didn’t have an open network. You could have other arduino units in the house or wherever with nothing more than a simple button that sends an MQTT topic and payload to unlock your box. Again, unless I am on your network I cannot send the same information to open it.
All this said, I also prefer to not use wifi for controlling my more important items. I especially don’t like it for something sending data around with any regularity. That is why much of my stuff is z-wave. It is off my data network. But MQTT is very light and fast, which is why I have moved to is over using a web page to control my arduinos.
I hope this was helpful. My apologies if I repeated anything you already understand.
And the comment “Just because it can be done doesn’t mean it is a good idea…” is something I say all the time. And I often enforce it with “I can put my car in reverse, but I don’t drive to work that way.” :-)