There's always a balance, true.
If it's just a site to display your books, there are limits to what bots can do. If you allow comments, it's easy enough to moderate them and prevent spam manually unless you have huge traffic. An ecommerce site might be trickier, but more because of what hacks against the guts of the site might cause rather than what a frontend user might do.
If I recall, you do your own programming, which gives you the advantage of structuring security how you want. I'm reliant on others, but generally, I have a site that functions well without excessive security routines. The only thing that irks me a little is that when CloudFlare updated recently, I find myself verifying I'm a human every time. It's just a checkbox, but still, I could probably do without. But if I wanted to, I could lower the security there and rely on my other precautions (like WordFence on the site itself). So far, my legit traffic hasn't dwindled.