Not much to be nervous about, you can’t fuck it up anymore than it already is since the HSTS is preloaded ;) ACME/Let’sEncrypt is pretty easy to setup
Google owns a could of TLDs (.app, .dev, etc) and they preloaded all of them 😒
Then yeah, VPN or not, you’re going to need to enable TLS. What’s the issue with giving your subdomains a certificate?
Give those domains their own let’s encrypt certificate?
Why is your domain HSTS preloaded?
Sure, don’t run X in the chroot, instead bind the socket for XWayland inside the chroot.
As long as the socket is available, and the environment variables are set, the app will be none the wiser.
If you want run your app in Wayland, you could use waypipe. Similarly you’ll want to bind the socket into the chroot.
Regardless, even if it’s just for your own one situation, you’ll want to look at ionotify