Personally, I encrypt only certain folders (not that its possible to encrypt the nas as a whole), but just because I really don't want access to those folders in any case.
Not worried about physical access but remote access can be a problem ofc. 1st thing ofc is to secure and harden remote access then, as an additional layer, you can always go with encryption. Saying that, off the bat, I would say if remote access is your primary concern then secure it and later on think about physical one.
In transit between known endpoints but when there is less trust in the medium through which the data is transported.
In storage to protect from unauthorised disclosure.
The first case is what is applied when connecting across the Internet, say for passing personal data to a website. This protection is only when the data is passing the two ingress/egress points of the secure connection, beyond these points the data could be in clear or may be have other protections to secure it. For instance, you may make a purchase from an online retailer that uses a secure website, but this only secures data between the browser and webserver. There is no guarantee that the internal servers that the webserver uses to store content and our purchase information will have data transferred securely to them.
The second case is to add further electronic protection to any authentication and access controls already in place, in the case where physical access is gained to the storage devices. In general, most data isn't of a private nature so using full disk encryption may not be required, and a more focused approach can be used for a selected dataset. However, full disk encryption would mask where the interesting data is.
Given that most attacks will be electronic in nature then ensuring that strong mechanisms are used to for authenticating access requests, limiting access anc controlling what is accessible, and strongly encrypting connections should be the first concern. This means:
Setting up remote access (SSL-VPN and OpenVPN, then L2TP/IPsec) with strong passwords and 2 factor authentication (DSM supports this for user accounts).
Limiting who can connect using remote access.
For any Internet accessible services, including remote access, if possible, limit regional accessibility
Limit the accessible services that are available from the Internet.
Only permit secure connections to these services.
Don't permit direct access to the main DSM/SRM web portal, these can used by remote access.
At least, limit admin accounts access from LAN side IPs.
Personally, I encrypt stored data that I need secured and not, say, the iTunes media library. I've three WD MyBook Studio drives that encrypt their data and their internal disks cannot be moved to another enclosure in the event of a MyBook power brick dying. The MyBook encryption key is hardware stored and not extractable, unlike on DSM ... so be very careful to keep any encryption keys safe when doing a full disk encryption.
Never, ever use a home Internet router/firewall's DMZ feature: if they have one, it usually punches a hole straight through from the Internet to a target device and most home users will not be capable of configuring that device to withstand probes and attacks.
Unless someone here works for Google Security, there's no way of knowing for certain. However, Google has access to all your files, so unless you are encrypting everything on Google Drive, you are insecure.
Quickconnect is a set of mechanisms that enable connectivity to the NAS. They default to direct access between the client and NAS but can invoke a proxy server to bridge the two endpoints (such as when the NAS uses ports that are blocked at the client's location). There is a risk that the HTTPS traffic is exposed during the transition through the proxy service: the client makes the connection to proxy and the proxy makes the connection to the NAS. But Quickconnect doesn't have any login rights to your NAS.
Synology don't have physical access to the NAS at your house, I'm guessing. Which would mean that either you have given them access via username/password or there's a backdoor. If you have no Internet access to the NAS then Synology cannot access your data.
Any public cloud service is physically present somewhere on the surface of the Earth and, as such, whoever has access to the devices holding your data could access your data. Unless all data sent to a public cloud service is encrypted by you (either by the provider's client app or specifically by you) then access to your data is restricted through the application authentication, access controls, and corporate security policy ... but is still possible because it is held in clear.
Apart from hacking and peeking concerns... should you draw the attention of govt agencies, Google will kindly provide access to your file storage/history to those authorities when the proper paperwork is presented.
Oh yes, and the jurisdiction of the country where your data is held will be applicable. And you probably won’t know where this is unless you have a contract with the cloud storage provider that enables you to select the location(s).
don’t worry about the quickconnect, more important is your WAN/LAN infra and status of your skills to secure these weaknesses (include the NAS). 99% of the “door opening” comes from a neglected attitude or ignorance of basic principles.
Rusty’s point is good way to start better security for your NAS & of course data in the NAS.
Sometime just look in to your prevention system/s how many IPs try to break to your LAN. A lot of attempts.