You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.

I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.

But your point does make sense to me.

I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.

+1 on duplicity. I run it directly on the host, outside of my docker containers. Grabs the data from the different volumes for my Nextcloud etc, puts it all into an AWS infrequent access bucket. Costs me ~3$USD/month. Pretty simple. Runs on cron

I don’t follow the full 3-2-1 rule, but I did want some sort of offsite backup for my Nextcloud so I use Duplicity to back up my user data from Nextcloud, plus all my DockerCompose files that run my server, to an S3 bucket. Costs me like $2/mo. Way cheaper than google drive

Pass thru is in fact possible in docker. The example compose for Frigate has an entry that specifically passes the Coral device through to the container. I use this exact setup. Also, docker is not a VM