My Umbrel is also on a Debian OS (not Ubuntu) and I manage myself the ufw rules.
I don’t know why do you say that docker is exposing your login in clearnet. Is not true.
But anyway your concept is flawed from the beginning. Just by running your node on a hosted server, you are already fully exposed. So if you are so paranoic with privacy, a VPS is not the place to keep your node. Umbrel was designed to be a personal server, in your home, in full control, not a virtual server. There are many other solutions for a remote node.
An Umbrel node anyways, is running by default all Tor, so there are no ports open by default, only if you open them in your local machine ufw and forward the ports on your router (where is located your node).
If you just want a BTCpay server in clearnet, there’s NO need to use Umbrel for that. Just install a BTCpay server (even on a VPS) and use it in clearnet. Done. Don’t complicate things more than is necessary.
If you still want to use Umbrel for other apps + BTCPay server, then here is a solution how to expose only BTCpay app in Umbrel to clearnet.