> assuming I’m not interested yet in a commercial “Zero Trust Network” solution that maybe tunnels any TCP/UDP packets through a commercial reverse proxy because the packets are not end-to-end encrypted.

This isn’t (always) true. Some solutions are E2E encrypted.