1. If for some reason a state-based actor takes interest in me, I'm boned no matter what I do. I wouldn't trust any hosted service in that circumstance and that includes the service I'm running Vaultwarden on. My vault isn't even what they'd necessarily attack; they'll go straight after my bank and straight after my other high-value accounts and there's nothing I can do about that either.
2. My self-hosted Vaultwarden setup will defeat any random scanner and the majority of random Joe Schmoe Hacker guys. In principle it even defeats a casual insider on my hosting service because just grabbing a disk image actually shouldn't help them much; they need to compromise Vaultwarden (not just the OS generally, Vaultwarden specifically) somehow, and probably actually my Vaultwarden client too.
The rest of your concerns hypothesize a class of attacker I think borders on, but is perhaps not quite, nonexistent. I'm not really concerned about the super-skilled hacker, who is limited to only my vault as their attack vector, and apparently has very fresh if not zero-day vulns that they are willing to deploy against me and specifically me, only me, their payoff for their personalized and specialized hacking effort is just that they get specifically my (encrypted) vault and nobody else's. That is a very specific level[1] of interest in me this hacker, that is not defeated by my current setup, but is defeated by what you outline, has in me.
Edit: Actually what makes me the most nervous overall is compromises of the client, not the self-hosted server I run. For practical purposes 100% of my risk in this setup is there.
1. If for some reason a state-based actor takes interest in me, I'm boned no matter what I do. I wouldn't trust any hosted service in that circumstance and that includes the service I'm running Vaultwarden on. My vault isn't even what they'd necessarily attack; they'll go straight after my bank and straight after my other high-value accounts and there's nothing I can do about that either.
2. My self-hosted Vaultwarden setup will defeat any random scanner and the majority of random Joe Schmoe Hacker guys. In principle it even defeats a casual insider on my hosting service because just grabbing a disk image actually shouldn't help them much; they need to compromise Vaultwarden (not just the OS generally, Vaultwarden specifically) somehow, and probably actually my Vaultwarden client too.
The rest of your concerns hypothesize a class of attacker I think borders on, but is perhaps not quite, nonexistent. I'm not really concerned about the super-skilled hacker, who is limited to only my vault as their attack vector, and apparently has very fresh if not zero-day vulns that they are willing to deploy against me and specifically me, only me, their payoff for their personalized and specialized hacking effort is just that they get specifically my (encrypted) vault and nobody else's. That is a very specific level[1] of interest in me this hacker, that is not defeated by my current setup, but is defeated by what you outline, has in me.
Edit: Actually what makes me the most nervous overall is compromises of the client, not the self-hosted server I run. For practical purposes 100% of my risk in this setup is there.
[1]: https://www.shamusyoung.com/twentysidedtale/?p=55166