that is relatively low assuming "private bytes" is virtual memory usage. Is that Firefox being idle? How many tabs do you usually keep for your everyday web browsing?

If in order to achieve security, users have to give up their privacy and freedom, I guess mobile operating systems are behind regular desktop or server oriented operating systems. I mean no matter how secure the operating system is, with bad opsec things can go wrong pretty quickly anyway.

Why not just use an F-Droid repo?

For some reason the session network (oxen network) now blocks my Hetzner VPS connection (I use for VPN). Have been a session user for around 2 years now and now I have to reconsider Signal.

Personally? Because telegram feels dodgier than WhatsApp. At least I can trust WhatsApp enough around security. If I really want to upgrade my privacy or freedom, I would have chosen either Matrix, Signal or Session.

QR payments don’t impose fees on cardholders and merchants.

I thought they were going to tax QRIS payments, or was that only for Indonesia?

I am unsure if I can ELI5 those without also ELI5-ing about Computer Network, VPN and Firewall.

They are VPNs. Like a regular network, they connect your devices through their network. They may put Firewall rules to allow you to talk to X networks (any specified networks). That also means the VPN may not allow you to connect to the internet through their network. Now the difference between ZeroTier and Tailscale and other VPNs for accessing the internet is that ZeroTier and Tailscale only permit your traffic to your other devices that are bound to your account and not to the internet (your other internet data won't go through zerotier/tailscale). This configuration is great because you have a virtual and secluded network that you can connect to from anywhere via the internet using ZeroTier/Tailscale networks (with your virtually local IP on ZeroTier/Tailscale).

I'm hosting an email server on a VPS that has fail2ban in it. A lot of ports are open but only wireguard and knockd are listening.

For remote server management, I would use wireguard for regular ssh access, but when I need to configure the wireguard I can just disable/reenable the wireguard-only ssh firewall rule using port knocking, there is also the option of using the serial console on the VPS web ui but it is slower.

Honestly, I'm not sure myself if my public facing services face a DoS attack. Well, there's always an option of using Cloudflare. With that being said though, I think in your case you should just use a free "VPN" like Tailscale or ZeroTier.