Forwarding one TCP port is, honestly not that big a deal. Setup-wise, it's just as easy as turning on UPnP.
Security-wise, it's only as good as Roon's security. On that note, I'd point out that — in its default installation — Roon runs as root, which might be OK for an application running...