Proton with a domain you control and use their Simplelogin which you can self host down the line should there be a rug-pull event. I think you need to manually export this so make it a habit as you add them!
You can put your eggs in one basket, just make sure you have a plan B if the basket catches on fire, using their domain in my eyes you’re going down with the ship, if you control it you’re just repointing records to a new host and getting simplelogin going.
This is part of the reason I like to keep ALL of my emails on disk still as well, if you can’t decrypt your mailbox for some reason they’re about as good as gone.
Docker image layering and nightlies for the heavier installs has worked pretty well for me. Dependencies from things like npm, composer etc are all build time still but more of the base stuff is on a weekly build cycle. We just do notifications if the nightlies fail to manually resolve it which is very very seldom