You can use Cloudflare without the tunnel too, then it’s just a reverse proxy.

2a01:4ff:1f0:c2f8::/64 is the whole subnet, your server will have one (or more) addresses in that subnet. This could be 2a01:4ff:1f0:c2f8::1, but could also be a randomly generated suffix.

However, I'd prefere not to open ports at home

But why? Opening one incoming port is not an issue if you only allow connections from the VPS in the firewall on that port. Keeping a 24/7 tunnel up is certainly possible, but it adds another layer of complexity/reliability.

Because hosting commercially with large (multi-TB) storage gets very expensive very quickly

.local is mDNS - and I'm using that, saves me so much hassle with split-horizon issues etc.

I also use global DNS for local servers (AAAA records on my own domain), again, this eliminates split-horizon issues. Life is too short to deal with the hassle of running your own DNS server.

/r/Zerotier or /r/Tailscale

with the caveat that this entails installing a application on the client device that accesses the server & whitelist it - so workable if you're accessing your server using your own phone/laptop, not so much on a random company PC or your friends.

If you want 'random' externals accessing your server, you'll have to VPN out to a third party server that forwards ports, or host the entire thing in the cloud.

Tailscale/Zerotier yes. Other option is tunnel out to a 3rd party VPN server with port forwarding: cloudflare does that, and a number of others.

with iOS/iPadOS it's as simple as downloading a DNS profile https://www.reddit.com/r/Adblock/comments/koowte/encrypted_dns_profiles_for_ios_14/

If I look at that screenshot it looks like you can define specific rules? The only problem i see is that you’re using link-local (fe80:: address) as the Local IP, that should be the stable global one (2a0d:xxxx:3040).

Does the TP Link router allow you to create rules in the firewall to open specific ports towards specific endpoints?

That’s how most routers do, but some only have a firewall on/off setting without the ability to create individual rules.

I have disabled the TP-Link router firewall

Completely? I definitely wouldn't do that, only open the one single port you need towards the one server that's listening.