Yeah, no. In the ideal on premise setup you can shutdown remote access on the network level. You're not an admin? You cannot reach admin tools from your VPN. You can also always offer a personal two factor authentication for exemptions, introduce four-eyes policies, etc.
Of course, this is complicated and a big part of the reason cloud is so successful is that the engineers capable of doing complicated stuff are hired by the cloud providers. My pet theory is that FAANG pay so high salaries to prevent competition and home-grown solutions as much as possible by attracting the top x% of the talent pool.
I think by starting small. Setup a raspberry pi for home automation, etc. Maybe connect a NAS or so. Add your own dedicated server with domain name, etc. My hypothesis is that you learn much more effective by learning the basics because 99% of the shiny fancy cloud-scale tools deal with inconveniences that occur when you do basic stuff in a larger setting.
Of course, this is complicated and a big part of the reason cloud is so successful is that the engineers capable of doing complicated stuff are hired by the cloud providers. My pet theory is that FAANG pay so high salaries to prevent competition and home-grown solutions as much as possible by attracting the top x% of the talent pool.