The good news is that MS requires any user account that is going to connect via RDP to have a password, so you have some level of protection there. Forwarding port 3389 on your router to your machine on the home network will do the trick.

No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.