The biggest leap of trust is to use the QuickConnect relay service (Control Panel -> QuickConnect -> Advanced). The relay service is made up of two client connections and bridges Internet requests back to the NAS:
A client connection from the NAS out to the relay server (this gets around opening [server] ports on your Internet firewall/router)
A client connection from the Internet in to the relay server.
This is in effect a reverse proxy where the relay server uses a Synology SSL certificate to encrypt the connection from the Internet device. This means that the relay server, and potentially other devices connected to it, can decrypt the connection and inspect/monitor the data. There is then a re-encryption using the NAS's SSL certificate.
You have to trust that Synology won't do anything to the data while it is decrypted. You can still use QuickConnect without the relay service but you will have to enable port forwarding in your Internet firewall/router to the NAS's private LAN IP.
Even without the relay service QuickConnect can help determine the best IP to use to connect to the NAS: if the client device in on the same LAN then QC will use a direct connect using the LAN IP.