primary difference between a computer and a phone in this regard is that old comouters can perfectly well run modern Linux. with a phone, you’re lucky to have root at all so good luck updating it yourself.

but quantum stuff can tunnel through the cheese, despite its inability to be penetrated

I do as you, and run my own services for everything I use frequently except for email. keeping it all behind a vpn prevents unwanted access. I pay for protonmail but operate my own mail server for internal use. I have machinery to download messages from protonmail upon receipt and make them available to me, and to send through protonmail. so I’m doing both and using protonmail as the interface with outside servers.

picking a different port that isn’t also used by another common service will eliminate most of the botscans you’ll see otherwise.

… do you have a reason to belive your ISP cares if you run wireguard?

… in case you don’t know: if it’s for resources on a private home network, you can easily add the CA cert (i.e. the public key associated with the private key used to sign your certs) to your devices so that it’s no longer unknown and the warnings disappear. I know this doesn’t answer your question, but it’s what I’d do instead of using letsencrypt for private services.

federation happens over the clearnet, so the only place tor gets used is your connection to the instance.

With syncthing, you can share securely your pictures (etc.) folder on your phone with your computer, and cut cloud storage out of the picture entirely.