To protect against external attacks on the server, of course, it is better to raise a VPN, it will become an additional line of defense. The attacker will have to first break through it, and then attack the server. It is assumed that the server and only it will be accessible through the VPN, otherwise, if the VPN is hacked, the entire local network will be endangered.
As I understand it, your task is to protect the server primarily from attacks from users, and when connected to the VPN server, they will be available to all ports open on it and running services?
Then you can protect the server with a firewall. And you can additionally protect it with an "internal" gateway, and forward the RDP port there. Thus: users first connect to the gateway via VPN, they get access to the internal gateway, on which the RDP port from the server is forwarded.
The ransomware virus cannot be defeated anyway, the user can run it directly on the terminal. And encrypt your files. From this, backups will help in the first place; in this case, you should not fully rely on the antivirus.

Why is the risk of infection increasing?
Users go without admin rights?
Is there any antivirus that will catch the launch of malware?
What other threats?
If you do not store documents on the terminal server, do not map disks to letters, then in extreme cases you have cleaned the user profile, that's all, let it come in again.

Raise VPN on a gateway where there is no Windows. RDP on Windows is an attack vector.

You make vpn and through it you are allowed to go only to the terminal. Accordingly, only the necessary programs are allowed to run in the terminal.

Changing the forwarded port number does not affect security in any way.

If VPN, then the risk of infection with any hat becomes higher.

You need to decide for yourself what threats you are going to defend against. From external, internal or from all.
If from external - then definitely you need to configure VPN. And in any case, this method is safer.
If from internal, then you need to turn on the paranoid.
If a person from outside, through a VPN, goes to the RDP server, then he should not go anywhere else. Forbid everything else. Firewall in your hands and antivirus for each machine.
But you need to understand that any connection from the outside, whatever they may be, is a potential hole. And it must be protected by any means.
You also need to limit servers for external connections. Since these servers are also considered not safe. So in the DMZ them and ban them everything to the maximum

In general, I see no reason to hide rdp behind vpn - password brute force will go both there and there. You will only complicate the access of employees to your server from scratch. It seems to me more reasonable to use two-factor authorization for logging into the server.

And what is the danger? What password will be chosen? The password complexity policy is one, the account lockout policy on n incorrect password attempts is two.

And if you use RDS gateway technology. And encryption and a terminal server.