... in case you don't know: if it's for resources on a private home network, you can easily add the CA cert (i.e. the public key associated with the private key used to sign your certs) to your devices so that it's no longer unknown and the warnings disappear. I know this doesn't answer your question, but it's what I'd do instead of using letsencrypt for private services.
federation happens over the clearnet, so the only place tor gets used is your connection to the instance.
With syncthing, you can share securely your pictures (etc.) folder on your phone with your computer, and cut cloud storage out of the picture entirely.
syncthing works on every device and substitutes for cloud storage services. pictures taken with a phone end up quickly in the shared folder on my desktop. etc.
can't say I've ever done this. better to figure out why it's broken and fix it so that the next time I encounter that kinda problem, I can fix it quickly.
picking a different port that isn't also used by another common service will eliminate most of the botscans you'll see otherwise.
... do you have a reason to belive your ISP cares if you run wireguard?