Your (typical) home network is going to consist of "two sides" as it were. You have the LAN, the Local Area Network, this is where all your computers, printers, NAS, all this manner of stuff resides. You have the WAN, the Wide Area Network, which to keep it simple is the internet. Most modern internet connections are "dynamic" IP, meaning that your WAN side IP address changes from time to time.
Your modem/router has several functions in a typical setup. It both administrates the traffic between the IP addresses within your LAN (it usually is the point at which they are generated via DHCP) and it also is where traffic within your LAN has to go, the "gateway", to get to the internet.
It's inbound and outbound traffic is bound by the various programs you use but in a super simplified and general way you ask your computer to access a page the router tells the internet what and allows permissions for that information to come back to you.
In more complex situations you can open ports in your router and allow WAN side traffic (an outside computer, etc.) a "tunnel" as it were to come back to your LAN and access information. This generally requires that you either install a host program to make said possible (like for instance finding your dynamic IP), or have a static IP where the target is always at the same place. This wouldn't be something just "done" without your knowing outside of someone else setting it up, or your inadvertently installing a subversive program.
By default even Windows (10) doesn't allow remote connections without specific permissions and process.
So, TLDR is that the data you are sharing within your LAN computers is as secure as you are that you have no virus or apps installed allowing it to get out. As a side note, most ISP monitor traffic across their routers, even on the LAN side. I am 110% positive that Xfinity does so as it states it in the TOS. You can (technically) get around that by using your own router to handle DHCP and taking that ability away from the ISP equipment. They will still be watching traffic, but on WAN side (and that starts touching on VPN).