Yes, it’s small, runs at a few watts and is silent.
The Celeron J4105 and Pentium J5005 CPUs in the Wyse 5070 are very close to each other both regarding energy and computing power.
Have a look here: https://www.cpu-monkey.com/de/compare_cpu-intel_celeron_j4105-vs-intel_pentium_silver_j5005
I would take either.
You’ll have a hard time finding another silent box with such a small footprint that’s able to take 2 gumstick drives - even if one of them needs some tinkering - and 32 GB RAM.

You could try to get a used Dell Wyse 5070.
If you pick the right dual ranked RAM modules (e.g. Patriot PSD416G26662S), you can have a max. of 2x16 GB.
There’s a slot for SATA SSDs onboard and with the right adapter (PCIe A/E key -> M key) you can plug an NVME SSD in the WiFi PCIe slot, which gives plenty room for storage and even allow for a disk mirror setup.
All that is very well within your budget and quite a beast that once was meant to be just a thin client.

Then I would stick with ZFS if you’re already familiar with it.

I’m not at all familiar with ZFS. It’d be part of the learning curve as is Proxmox as a whole. But I consider knowledge about both as useful.

LXD is a management system for LXC containers. If you’re just starting out, stick, with LXD. It’s much more user friendly.

I will stick with LXD for containers then if I don’t use a VM.

Not really. I run a VPS which acts as a reverse proxy for my docker setup, which has non-local storage via NAS. I don’t particularly see a point in fragmenting docker like that, but if that’s how you want to roll, then go for it.

This due to my lack of experience with Docker and backing up all properly to do a complete restore. It looks like I have learning curves in more than just one area ahead of me.

I very strong advise against this. But it’s perfectly possible. You’re just at the whim of the airwaves. I live near a main highway and sometimes when large trucks go by, I lose WiFi for a quick second. Really fucks with certain things.

Yeah, nothing beats a setup, where each network interface is the maximum size of a collision domain.

Yes. Nothing wrong with software firewalls.

Gotta get ahead of that old school me that thinks running a software on a different hardware plays a crucial role in the threat model.

Also yes. Particularly (like I have setup) I have a software firewall that tunnels my local vLAN to my VPS, and then everything else is further bisected using a hardware firewall–so all outside incoming requests are proxified by my VPS meaning any direct connections are dropped by the software firewall, then I manage ports from within the hardware switch.

That’s a setup I may borrow from you :)