TigerVNC supports a bunch of encrypted authentication types: https://manpages.debian.org/bullseye/tigervnc-standalone-server/Xtigervnc.1.en.html#SecurityTypes
We are talking about a VNC “server”, so naturally it requires an open port. RealVNC has some additional (non-free or closed-source) techniques for authentication and also for mentioned spawning virtual sessions ondemand, but the only way around an open port (aside of VPN or alike) would be a constant connection or polling to a 3rd party server, which is not what I would call a sane solution.