Somethign I haven’t seen mentioned yet is clevis and tang, basically if you have more than one server then they can unlock each other and if they’re spatially separated then it is very unlikely they get stolen at the same time.

Though you have to make sure it stops working when a server get stolen, using a mesh VPN works just as well after the server is stolen so either use public IPS and a VPN or use a hidden raspberry pi that is unlikely to be stolen or make the other server stop tang after the first one is stolen.

Luckely we’re not relying on emails for security relevant and or private information, right?

The emails are unencrypted, emails in transit are in transit between the e-mail servers and relays and use secure tls channels.
They are only encrypted from your phone/notebook/browser to the server, then when send they will be encrypted till the next server.

Every server/relay first decrypts everything send to it, because it has to due to the TLS terminating at each server.

See also your source:

Transport Encryption: This form of encryption is used to secure your emails while they are transmitted over the internet. Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit. While it encrypts emails between servers, it doesn’t protect the content once it reaches the recipient’s inbox.¹

In practical terms, Your e-mail server, your e-mail servers relay (if it has any) and your recipients relay server/server can all read your email unless

End-to-End Encryption (E2EE): E2EE takes encryption a step further. It ensures that only the sender and the recipient can decrypt and read the emails. Even the email service provider cannot access the contents of the email. E2EE is typically achieved through third-party encryption tools or services.¹

Which takes active effort from both the sender and the recipient to make work - it’s almost only possible with people you know and little else.

¹ https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/

You can use caddy-l4 to redirect some traffic before (or after) tls and to different ports and hosts depending on FQDN.

Though that is still experimental.

Only thing I can comment on is that 99% of all E-Mails you will get are unencrypted and can be read by your relay. (There are few e2e encrypted emails being send.)

So either trust them or don’t use a relay.

Step 1: Get write access to the project you dislike.

I recommend switching to NixOS only after you have a basic but broad understanding of Linux, many things in NixOS are more complicated than in “normal” Linux, which is needed to archive what it does, but is overwhelming for someone who doesn’t know the what and why and where that using Linux brings.