I have a similar situation, where I only get a public IPv6 prefix. I ended up renting small vps at netcup and installed OpenVPN and ha-proxy. My home router connects to the VPS’s public IP and I do port forwarding for the services I need, or use the proxy.
Initially I setup SNAT for my web server (otherwise replies were going out the wrong interface) and that meant you don’t see the public IP of the connecting client in your access logs.
Recently I switched to using ha-proxy which does tcp level proxying and works well with ports 80 and 443 and Traefik, which i use to expose my docker containers.
My connection chain looke like vps -> ha-proxy -> OpenVPN -> port forward to Traefik -> reverse proxy to the final service. It’s not a fast server, and I didn’t measure latency, but it’s for sure not small.
As others have mentioned, ha-proxying to your IPv6 might be an interesting solution, and I think I will also try it out.
I use Hetzner Storage Box for my backup needs - TrueNAS handles this for me on a regular interval and encrypts them before upload (yay rclone!). I needed a bit more storage than you, to the tune of 5TB, and for this much data they were the cheapest (12eur / 15usd per month iirc).
Consider slightly more storage if you need snapshots. For my storage box i enabled them, and now have a history of last 4 monthly backups.
If you use rclone, you can mount the remote backup as a fuse filesystem and browse your backup like it would be a local file - extract what you need only. Any livecd / USB with rclone can help you rescue your data in case of disaster.