there are xpenology users not having updated for years ...
most of the stuff you are worried about should have been answered by yourself before installing xpenology for more then testing
"bricking" (its not like that because its still possible to downgrade or do other things) can be prevented by disabling internet access to the ip address of you xpenology box and only installing proven updates manually (or disable access to all domains involved in updating)
if security is most important don't use xpenology, you rely on a lot of code from the loader and drivers (or 3rd party packages) that you cant check, you trust a lot of people you dont know anything about and even if you trust them there is no guarantee about 3rd party hacking the one you are trusting or a man in the middle attack
you can use open media vault as alternative to xpenology, its even possible to use it temporary by booting omv from a added media (can be usb or hdd), you might need to fix the volume label to mount the dsm data volume with omv but thats not a problem for later using dsm again
https://xpenology.com/forum/topic/42793-hp-gen8-dsm-623-25426-update-3-failed/?do=findComment&comment=200475
if you prepare that media you can switch at any time and still access you data by local network
beside this its also good to have backup(s), should be normal as beside security/hacking there are also risks with hardware involved (specifically when dsm's ssd cache is involved i'd recommend having recent backup all the time)