I'd recommend trying the Pi as a router. I've built my own custom images of Openwrt but it's difficult to trust a router to stay truly dumb. Debian's nftables does a pretty good job of just passing through traffic and not allowing the OS to be probed directly. It takes about 100 lines of code to convert a vanilla Raspberry Pi image to my current setup. If you setup two SD cards, you can capture all your non-tunneled (not port 1194 or 22) traffic and go through your packet captures every couple of weeks. I process mine through Zeek to minimize pcap retention. Best of all, running things this way gives you real visibility into your network so you don't just have to hope for the best. If I actually suspect anything is afoul, I'll setup a second Pi to capture on a passive network tap and keep it out-of-band. If you really learn what you're doing and you're paranoid, you can basically be running your own SIEM this way for next to nothing. I use an old android throwaway as a screen to the second pi through usb tethering and vnc. It basically becomes second nature to notice misbehaving apps from my wife's phone through termshark on the throwaway.
I've shared the code I use to set this up. Don't worry; it's not malicious.
I've shared the code I use to set this up. Don't worry; it's not malicious.