I’ve never used Portainer, but does it have an option to only notify of available updates?
For things that I don’t mind breaking, I use latest. For the services that matter, use a specific version. Take Immich for example, in the 2-3 months I’ve kept it running, there’s been 3 breaking changes that would prevent startup after update without manual intervention. Immich is an extreme though, some other projects have been working fine with latest without touching them for years.
I follow the important projects’ releases (subacribe if possible), and update manually when they publish an image with a new version. I’d see it as either updating manually and being OK about possibly being a version behind every now and then, or using latest+auto updates and being OK with waking up to broken services every now and then. Which might never happen.
You need the G account to be able to install apps from Play Store, I don’t believe the private space itself requires it.
Not sure if there’s some Play “integrity check” on stock ROMs, but on GOS I was able to create the private space and download&install F-droid or other APKs just fine, without a Google account.