I think 2 good concepts come to mind to help you make choices:
Least privilege - Only give things/people just enough access/authority to get the job done. A good example is sonarr doesn’t need access to your personal photos to do it’s job, so don’t give it access if to them.
Defense in layers - Nothing is perfect and you can make mistakes in configuration. Don’t rely on a single point of failure to protect you. If you want remote access use a VPN. But also take steps in your network like putting a password on the logins.
If you want cheap new drives check out shucks.top.
You can get used Enterprise drives on eBay if you want to got that way. Look for a seller with lots of sales, a good rating, and a reasonable return policy.
I would stay away from kubernets/k3/k8s. Unless you want to learn it for work purposes, it’s so overkill you can spend a month before you get things running. I know from experience. My current setup gives you options and has been reliable for me.
NAS Box: Truenas Scale - You can have UnRaid fill this role.
Services Hosting: Proxmox - I can spin up any VMs I need and lots of info online to do things like hardware passthrough to VMs.
Containers: Debian VM - Debian makes a great server environment as it’s stable and well supported. I just make this VM a docker swarm host. I managed things with Portainer for a web interface.
I keep data on the NAS and have containers access it over the network. Usually a NFS share.