>I am a bit concerned about their security track record given how bad their soho products are, so I ended up sticking with my opnsense router at the perimeter as the first line of defense.
Ubiquiti has had plenty of bad security issues as well I'm afraid, but fundamentally one of the advantages of both is that with a self-hostable controller and VLAN isolation you should be able to minimize your attack area pretty well from both the LAN and WAN. No remote dependencies at all. But like you I run OPNsense at the edge, you do at least have to trust their firewall and such if you want to go full single-pane.
Ubiquiti has had plenty of bad security issues as well I'm afraid, but fundamentally one of the advantages of both is that with a self-hostable controller and VLAN isolation you should be able to minimize your attack area pretty well from both the LAN and WAN. No remote dependencies at all. But like you I run OPNsense at the edge, you do at least have to trust their firewall and such if you want to go full single-pane.