The NVR is not directly on the internet, in that the NVR accesses the internet from behind a firewall. So the IP for the NVR is directly scannable. Reolink provides peer to peer (P2P) connection service between their app and devices, and there has been some discussion about Reolink's security. This is primary threat vector: the NVR phones home, so their server can mediate P2P connections to the app. This creates an opportunity to be compromized if Reolink's systems are hacked. But Reolink is popular enough that they get a lot of scrutiny. And Reolink
uses security as a marketing opportunity. P2P from a reputable brand is nothing like P2P from some random sketchy vendor on ebay.
Lets assume someone did compromise Reolink and was able to spy on their cameras. The nature of that type of breach would mean the perp probably has access to many cameras. They'd be checking cameras for something interesting to them - which unfortunately in today's world likely means cameras in bed rooms. My cameras wouldn't get more than a passing glance as they look for what they're after.
Nothing is 100% secure, but for outdoor use I'm not not the the least concerned.
IMO, people should be much more concerned about having glass windows in their houses. Anyone with rock can get in.