I like to think of the unifi controller as multiple different services, not just a single big one, that you can make accessible independently of one another.
The GUI runs on TCP 8443 by default. You can change this to whatever you like.
The device-controller communication takes place on TCP 8080 and UDP 3478. This one is a bit more complicated. As far as I know, you can change the port of the inform address from 8080 to anything you want, since this is manually provided by you during the inform process. However, I don’t think you can change the STUN port (3478). Also, STUN is in fact not required at all, but I highly recommend using it.
Note that you don’t necessarily have to make the controller GUI accessible from the internet in order for clients to have their devices communicate with it, because these are two different services.
TCP 8880 and 8843 are only needed when using the captive portal function of the controller, which I have never used because I quite like pfSense’s captive portal.