The plugins would almost certainly work in a VM, but I imagine that latency would become a big headache. For my purposes, I picked up a Beelink mini pc and called it a day.

Right, that's what I meant when I said "third party app". Samsung can write an app to do this, but your average app installed from the play store likely cannot.

I'm not super well versed in the world of app development, but I would assume due to the way apps are sandboxed, this isn't something that could be done with a third party app.

im a big fan of the nas device being single purpose. its life should only exist in fileserving. i have several redundant nas devices and then a big ol app server.

This is the way. Except my "big ol' app server" is an n95 mini pc that sips power.

Because even if an attacker could gain access even as root he cannot modify system files.

Your comment was already from the position of if an attacker could gain root access. My responses were to that directly, and nothing else.

While you are correct, any system is compromised if you have root, so isn’t that irrelevant at that point?

The original context for the comment chain was:

Because even if an attacker could gain access even as root he cannot modify system files.

So no, it's completely relevant.

I'm planning on doing this personally, as my setup is a bit complex (Protonvpn doesn't have port forwarding on wireguard supported very well on Linux, so I have some helpers running that make it work). Setting this up each time (and on each computer I want to torrent on) is a bit of a pain. If you do all of your setup and dockerize it, you can just pull the container on each new install/machine (0 setup)