Why would we be surprised that Windows 11 accesses your NAS shares? Aside from defaulting to requiring a username/password and SMB signing, it works the same as Windows 10.
Yes, you would want a VPN or something similar running at your home, but the type and the way you set it up will vary. Does your NAS have the ability to run applications/services that you install, or is it a very cut-down device that only runs what was pre-installed? What model is it? What type of router do you use?
https://tailscale.com/kb/1307/nas (You can install it on devices other than what are listed there.)
A service like TailScale is handy because it easily handles dynamic IP addresses, which most consumer Internet services uses. So if your WAN IP address changes, your home device will just update TailScale's servers. Then your remote device checks with TailScale to find out the current connection properties. You don't even need to do any port forwarding in your router, as TailScale can facilitate connections through NAT. Or if your router supports adding applications, you may be able to run TailScale on it directly, although I don't think there'd be any big benefit, other than not putting the additional load on the NAS, but it may be more powerful than your router.
Or you can run a VPN service on your home router, which some have built-in or you could install. That avoids any outside services or costs being involved, but you will have to work with the possibility of your IP address changing. You can just manually input the new IP as needed (maybe calling someone at home to get it or using something like TeamViewer to remote into a home PC to find it, or by using a dynamic DNS service). You could also set up a small device like a Raspberry Pi or a cheap mini-PC to act as the VPN server or TailScale server.
Once connected, your shares will just work like usual, as the VPN/TailScale configuration should automatically include your LAN subnet to be routed over the connection. (If it's running on your router, you might even be able to access other PCs and network printers.) You will probably want to change your LAN subnet from the default to something random like 172.16.173.x (or any other unusual RFC1918 subnet), so that if you're at a remote location that happens to use the same default like 192.168.1.x there won't be any conflicts.
Of course there's also the option of just using something like Google Drive, Proton Drive, etc. to have the folders that you want to access synced to/from the cloud, so your PC can access them there when you're out. There are tools that will let the NAS itself do the syncing, or you could have a PC on the network do it using a tool that lets a network drive be synced to one of the services. This would cache the file locally to your machine when you open it, and upload changes that would then be synced to the NAS. This could be more reliable and faster since it's an asynchronous thing, rather than having the files continuously opened over the VPN using SMB. (I imagine opening some files this way would also be faster since the entire file would be copied to the cache first, rather than Windows trying to read the file via the slow VPN using normal file opening techniques.)