By default, the web GUI only listens for connections from localhost (127.0.0.1 or ::1 for ipv6).
If you decide to change this to make it listen to the whole world (for example, 0.0.0.0), then make sure you set up a username, password and HTTPS.
Otherwise, anybody can connect to your server and do anything they want with your Syncthing. This includes editing or deleting your files, impersonating you to other Syncthing users in your network, filling up your computer’s storage, etc.
The default is safe — it only allows connections from the local machine. It is the so-called “power users” who are changing the default and leaving themselves open to the world.
Again: you cannot. Your computer will accept any incoming connections on a given interface. Something like your router - which is on your LAN - could quite happily forward packets from the wider internet onto your LAN, if you’ve configured it to do this, for example.
You could use a firewall to reject packets with a particular source, but Syncthing cannot know about this.
I use NGINX with reverse proxying with its own auth, how do I disable the big red warning? There’s nothing in the documentation (I assume this is the blessed doc http://docs.syncthing.net/users/config.html)
And “every device in your network” probably includes printers and other hardware with software which very rarely gets updated. This is a recipe for disaster and printers, coffee machines, fax devices, copiers and so on have all been used in malware campaings before. Also if your network uses wifi and you ever gave the key to anybody with an Android, Apple, Windows Phone or Windows 10 device, chances are very high that your wifi key is already in someone elses hands, because backing up wifi keys as cleartext is the default behaviour on those systems.
Oh Apple and Google also know where to find your wifi, because this data is needed for the “wifi-assisted” location services. If you should be concerned about this is your decision. But I prefer to use SSH forwarding.