Do you want Unbound to query upstream DNS over HTTPS servers or do you want unbound to answer to DoH queries?
For the former, unbound cannot query upstream DoH servers, only DoT and DNS at the moment. An issue is still open for setting DoH as upstream. A solution is to use cloudflared or dnsproxy to proxy DNS queries to DoH upstream servers.
As for the latter, unbound can be set to answer to DoH queries.
I've always used OVH. They are reputable, always been responsive to my questions and have an API to handle many things, including domain names, which is handy for DNS-01 challenges with Caddy and libdns.
I'm afraid making your instance private disables federation.
As for making the web interface private, while it would prevent the average Joe from seeing federated communities, you could still do it through the API, which you have to keep public if you want to use alternative and mobile clients without a VPN.
I wonder if they will ever implement ActivityPub and federate. I know, there's fear of "Embrace, Extend and Extinguish", but still, that would allow privacy-minded people to follow Threads users without giving them such data by using Mastodon, CalcKey and other micro-blogging apps.
Excuse me for my lack of understanding, but why are there so many people looking to hide their traffic from their ISP with a VPN? Isn't HTTPS enough? Are you afraid of ISPs resorting to DPI or MiM to spy on their users? Is customer protection so weak in the US that ISPs are free to spy on their customers using aforementioned techniques?
Edit: I just realized that I left out people leaving under authoritarian regimes, for whom VPNs are unfortunately required to evade their government.
Well, the engineers say it themselves: nothing would prevent websites developers to prevent access from browsers that do not support this "Web DRM".
My biggest fear though is that it becomes a standard which all browsers will have to support to stay relevant. And with Google building the engine used by the vast majority of browsers, they can force this upon other browser engines (ie. Safari and Firefox).
Can't you deploy Docker images to Lambda now? Granted, startup times will probably be slower than native Node.