They will require the requester to prove they control the standard http(s) ports, which isn’t possible with any nat.

It won’t work for such users, but also wouldn’t enable any sort of false claims over a shared IP.

If you can get their servers to connect to that IP under your control, you’ve earned it

This sounds like a whole lot of convoluted bullshit to use Plex locally and “looking local” through VPN solutions when you could just roll a Jellyfin instance and do things a more straightforward way…

You can use one of a few ways to use the TPM to auto decrypt on boot without passphrase. Systemd cryptenroll is my favorite.

Because it says to do so?

Proxmox uses Debian as the OS and for several scenarios it says do Debian to get that done and just add the proxmox software. It’s managing qemu kvm on a deb managed kernel