Secure homelab access

I am trying to expose a few services to the Internet from my homelab, and I know that the common recommendation is to use something like tailscale. But I am trying to find the most secure way for it and have been going down the rabbithole a bit.

My idea was something like the following:

Proxmox Host

├── Gateway LXC

│ ├── Tailscale

│ └── Reverse Proxy

VPS

├── Tailscale

└── Reverse Proxy

Locally I have services running across unprivileged lxcs and docker lxcs.

I am doing a secure site to site from VPS to Homelab via tailscale, or could also use Wireguard directly. Then I am exposing the VPS either via Cloudflare tunnel or maybe even also tailscale.

Would that have any extra benefit over just running tailscale on the gateway LXC and connecting clients directly to it? Or would it be even counterproductive? I am a bit paranoid here, so happy for some guidance.

Probably just setting up tailscale subnet router would be totally sufficient for me?