Lemongrab

Sry, I should have mentioned I meant Cromite on desktop.

Self hosting has the advantage of keeping your encrypted vault local and under your control.

Cromite is a good brave alternative without crypto, built-in adblocking, secure defaults (better security hardening), and cross-platform (Linux, Windows, Android). Best experience is on Android. Cromite is an actively updated fork of Bromite, released by a former contributor of Bromite. Cromite also comes without any proprietary libraries on Android (unlike Brave, Mulch, or Vanadium).

It can sync, most if not all Firefox based browsers can sync

You can install uBlock origin lite and the adblock plus engine is segregated by cromite

Vanadium does not provide adblocking/content-block, comes with proprietary dependencies, and provides no fingerprinting protection.

Betterfox isnt more private/secure than Arkenfox. Betterfox is actually softer in its security and privacy approach. Its goal is to cause the least site breakage, which means more data leakage and softer defaults. Not a bad thing, just not true about Betterfox.

Use Mull (made by the DivestOS developer) on mobile. It is available through the dev’s f-droid repo. It is hardened Firefox mobile similar to Librewolf and supports sync because it is a Firefox mobile fork. It is also fully open source and doesnt come with proprietary dependencies (unlike standard Firefox mobile)

Instead of Mulch I would recommend Cromite. It is fully open source (free of proprietary dependencies unlike Brave and Mulch), has anti-fingerprinting (unlike Mulch), and has built-in ad-blocking. Browser comparison table made by the Developer of Mulch: https://divestos.org/pages/browsers

Self-boting is against ToS. You have to be careful when interacting with the Discord API. Maybe there is a way to run the discord website to fetch text messages.

Generally, I think it is better to use a general server OS like Debian or Fedora instead of something specialized like Proxmox or Unraid. That way you can always choose the way you want to use your server instead of being channeled into running it a specific way (especially if you ever change your mind).

That is not how security works. You must protect against known and unknown attack vectors. I am only pointing out weaknesses of Docker and other linux containers that share the kernel with the host or/and run with Root. I’m not saying anything original or crazy, just read up on the security of these technologies and their limits. I am not a malware designer, I am a security researcher.

Look into gVisor and Kata Containers for info on how to improve the security of containers.

Here are some readings for you:

https://redlib.tux.pizza/r/docker/comments/eakd50/help_can_i_safely_run_malware_inside_a_container/
https://www.csoonline.com/article/1303004/vulnerabilities-in-docker-other-container-engines-enable-host-os-access.html
https://www.panoptica.app/research/7-ways-to-escape-a-container
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
https://www.securityweek.com/leaky-vessels-container-escape-vulnerabilities-impact-docker-others/
https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities

It is not speculation, it is reducing attack surface. Security is preemptive. Docker/Podman are not strong isolation solutions. Rare does not mean we shouldn’t protect against the chance of kernel vulnerabilities. The linux kernel around 30 million lines of code long and written in a memory unsafe language. Code isn’t safe just because we dont know the vulnerabilities, this is basic cybersec reasoning.

Docker/Podman and LXC linux containers share the same kernel with the host machine. Root in the container is root period (in the case of rootfull containers). Even without root, much of the data on your machine is readable from any user. With a exploit to escape the container (which are common) the malicious program has root on the machine. This is a known attack vector against linux containers. VMs are much better for isolating untrusted software from the host OS.

Idk how to decide what is safe or not, but as a warning, Docker containers can escape trivially and have access to the kernel.