I use nextdns as I can use that when mobile but if you want a local solution adguard home has DOH/DOT built in and a nicer interface than pihole IMHO
You will be behind CGNAT and a VPN will work yes but you will need to run a VPN client on each of your remote devices.
Adguard Home or pihole for starters.
Or run unbound and go straight to authoritative DNS servers.
If you want stability then you should go with Debian
I'm assuming the benefit over say Caddy + Authelia is that you don't need to open any local ports such as 80 and 443?
Once you've chosen a VPN take a look at gluetun as a dockerised VPN gateway
I use Caddy and agree with your last point in the context of Crowdsec
Turn them into security cameras:
https://play.google.com/store/apps/details?id=com.ivuu&hl=en_GB&gl=US&pli=1
You don't need any open ports to use a cloudflared tunnel
Remember to get yourself a VPN subscription and check out gluetun to keep your connection private
Yes, I expose Home Assistant this way