Little steps.
At least make things harder for the attacker.
sudo adduser --system --group --home /var/roon roon
sudo adduser roon audio
sudo chown -R roon:roon /opt/RoonServer /var/roon
sudo chmod 755 /opt/RoonServer
sudo vi /etc/systemd/system/roonserver.service
Edit the file so that RoonServer starts as User=roon.
Then
sudo systemctl daemon-reload
sudo systemctl start roonserver
Now RoonServer should be running as an unprivileged user.
If you’re still queasy about running an Internet-facing daemon on QNAP, then consider buying a NUC, running RoonServer on that (NFS-mounting your media files from your QNAP).
Or run Roonserver in a Docker Container on your QNAP…