My recommendation is a VPN server to connect in from outside and have the default gateway for the VPN clients be a server that acts as a router that’s set up with your commercial VPN.
That way, you can be outside on a phone or a computer, access your internal network and still have your public internet traffic go out through your commercial VPN without having to be able to configure multiple VPN connections at once (eg. Android doesn’t support that).
Eg. 2 debian proxmox containers. One that runs wireguard (head/tailscale might also work here?) for external access and one that runs mullvad(or whoever) VPN cli and IP forwarding to be the gateway for your clients.
Only downside is the extra hops to send everything through your home network first rather than straight to the commercial vpn which is probably fine depending on your speeds. You can always disconnect and connect directly to the commercial VPN for faster internet traffic if you need to.
For the unprivileged container thing, containers tend to be lighter on resources than VMs at the cost of a little isolation (they share the same kernel as proxmox which could have security implications).
The ability for lxc containers to run unprivileged with all the restrictions that entails alleviates a bit of that security risk.
Both options are generally considered pretty secure but bugs/vulnerabilities could break isolation in either case. The only real 100% safe isolation is bare metal.
I tend to run containers unless I have a really good reason to need a VM, and run unprivileged unless I have a really really good reason not to.