I mostly agree with your post, except using a zero day on a small (especially self-hosted) server is very rarely blowing it. In fact I would bet the majority of self-hosted or small-time servers wouldn't have the first clue about how to figure out how you got in, let alone parsing logs to figure out the exploit. Assuming they even log sufficiently, hiring a forensics expert is almost certainly out of the question financially.

I wanted to write exactly the same comment: it is a lot less likely to be targeted. The big company leaks happen often because A LOT of resources and human hours go into trying to find flaws in their security.

Not only that, but the reward is a lot smaller for the attacker and the overall damage is smaller for the community. If attackers get into Google Analytics/Tag Manager servers they will be able to find data and sensitive information about most of the websites in the world and be able to control them. If they get into your self-hosted analytics server they would only find out your stats which can't be used for much.

There is one thing to find the name and phone number of one person and another thing to find the name and phone number of millions of people.

You can use a self-host app like Pritunl[1] to host a private vpn server and put all the other self-host instances behind this vpn.

Hackers wont even know if your self-host server exists. I self-host Bitwarden and that's how I am able to sleep at nights.

[1] https://github.com/pritunl/pritunl

What if your self-hosted app must be accessible on the web? (eg. a blog or analytics platform)

Would all that traffic still have to go through the VPN tunnel?

No, only the traffic of the self-host server you whitelist on Pritunl using the self-host server IP goes through VPN. Rest of the internet traffic works as usual.