" a VNC-like interface is required to enter disk encryption password, which could be intercepted by the host. "
There's a rule in security that anyone in physical possession of your device should be assumed to have access to it. The host has the server whether physical or virtual. You're not safe from them. Trusting them is the tradeoff made for the cheap, hosted server.
" I look at dedicated box more as an upgrade from VPS."
Multiple VPS's share a physical box. A malicious VPS can look for secrets in another VPS using side channels. This isn't possible on bare metal: they have to compromise an app or get a shell first. The next concern would be endpoint security. OpenBSD covers that well. Then, there's host or peripheral firmware which is almost always a risk if a 3rd party is hosting things. Your attack surface does go down, though, when you're not sharing a box with an attacker. There's also the performance benefits.
Privacy from host is not possible, and you make a very good point about hardware access.
Virtual machine are secured by the shared host. I don't really expect top security from this end. A replica backup MX enables me to safely change hosts, if they behave badly.
OpenBSD defaults are what I base my endpoint security on, and keeping this updated is super easy.
"Virtual machine are secured by the shared host. "
Virtual machines are not secure in mainstream implementations. The tech they use has had a lot of vulnerabilities in the past. Google and Amazon even have their own custom versions for improving security. There's also no covert/side channel analysis done on those to even know what information leaks will be found in the future. Finally, hardware-level attacks are possible if you have malicious code running that bypass VM protection. Most popular recently is Meltdown/Spectre.
There's only been a few VMM's designed for security (two examples below). Most of them probably cost five to six digits to license. The FOSS ones are alpha or beta quality without the tools a big host would want for management. The VMM's focused on rapid development of features in unsafe languages don't look anything like the ones that passed pentesting. They also have highest marketshare due to those features. So, your host serving cheap VPS's is almost certainly not using a secure VMM: they're saving money using an insecure one on insecure hardware that they're patching as vulnerabilities are publicized. Like almost everyone does with their OS's for their beneficial features. ;)
There's a rule in security that anyone in physical possession of your device should be assumed to have access to it. The host has the server whether physical or virtual. You're not safe from them. Trusting them is the tradeoff made for the cheap, hosted server.
" I look at dedicated box more as an upgrade from VPS."
Multiple VPS's share a physical box. A malicious VPS can look for secrets in another VPS using side channels. This isn't possible on bare metal: they have to compromise an app or get a shell first. The next concern would be endpoint security. OpenBSD covers that well. Then, there's host or peripheral firmware which is almost always a risk if a 3rd party is hosting things. Your attack surface does go down, though, when you're not sharing a box with an attacker. There's also the performance benefits.