Wow, thanks for all the great answers so far. As for why not latest:

1. Read a lot online and read multiple times it’s “bad practice”
2. Own experience: had latest on an app which crashed and wouldn’t come up again. Got the backup of the persistent volume back and then had the problem that latest at that point is not the same as latest when I spun it up. Actually had no idea which version I was running last and consequently what I would need to pull to fit my backup. In case I have to restore my cluster, this problem is multiplied.
3. I run NixOS on everything, so I am clearly biased towards reproducibility.
4. I am running Services for family and a fire brigade (nothing mission critical, just support stuff, but still…). Stability is important, as sometimes I do not have the time to immediately react to an issue. I prefer a lazy Sunday morning to update/fix and then leave it alone and stable.

So, probably a combination of latest for low criticality and pinned on critical stuff (e.g. authentication, access, etc.)

At the end of the day you have to trust someone (Bitwarden, Hoster, Hardware Manufacturer…). It comes down to your threat profile and what you personally accept as a risk vs. effort (or convenience). For me Bitwarden was acceptable, but I switched to self hosting Vaultwarden ca. 3 years ago. Main reasons being the advanced features (sharing some passwords with the family, setting up a tech savvy friend to take over my vault should I get hit by a bus, etc.). I did not have any relevant downtime of that service in years.