The way to think about this is trust. Right now, you trust everything on your internal network, and nothing external. This is because you are confident that your internal network devices are under your control, and know that you don't control anything external. Anything external is untrusted (this is not a word, but is commonly used)

Any interaction between the internal and external networks results in a decrease in trust of the internal network. Because even when browsing a webserver on the external network with something on the internal network you are exposing it - perhaps something malicious could take advantage of a vulnerability in your browser for example.

This type of risk is mitigated by careful control of outgoing connections. In a corporate setting you might use a proxy server for web traffic, one that can scan for malicious activity. For email you would use an internal relay. Both of these help avoid direct contact between trusted devices and untrusted devices.

When you are port forwarding, you are permitting direct access to your trusted devices from an untrusted source. This dramatically reduces the trust of this device, to the point that it should no longer be considered trustable: semi-trusted.

If this machine resides on your internal network, you now have trusted devices capable of interacting directly with a semi-trusted device and vice versa, and so decreasing their net trust.

To mitigate this, we put semi-trusted devices into their own network, and we carefully control the access between the semi-trusted network (known as a DMZ) and the internal network.

Ideally, this would be via the use of a firewall that does not permit connections to be instigated from the DMZ to the internal network. In many cases, this is not feasible, and some access must be permitted.

Access to the DMZ from the internal network should be similarly controlled, and kept to the bare minimum via firewall rules.