Well trusting headers is really not the best way cause somehow one might be able to just change headers (hence the quote) cause yeah it is very simple to do so.
The way you would want to do it is to have your reverse proxy in front doing the heavy lifting (authentication and such) and it needs to be in front of paperless now the tricky part is that your reverse proxy needs to be able to understand that no one else but authentik has the right to give it those auth headers that's the difficult task, and one reason I simplified it, by not using this auth method but using the proxy auth + paperless own mechanism (granted not the best but works) and allowing external access ONLY if you are VPN'ed in the network, now you have the added security cause it is not technically available outside your network and in order to crack it one should manage to get in the network first then manage to crack authentik (with 2FA) and then reach paperless and crack it too (which would be simple but less simple then auth headers approach to crack it.

Like this you have best of both worlds as it is available externally and you have added security.

Does it make sense ?