You are correct. The provider owns the IP and also VPS. They theoretically have the ability to do anything within those confines. Same thing with your nameserver provider with your DNS records and the domain itself with the registrar. There’s a certain level of trust that needs to be accepted for anything that goes outside the confines of your house. The good thing is those companies have more to lose than you by breaking that level of trust.

• Turn off password login for SSH and only allow SSH keys
• Cloudflare tunnel
• Configure nginx to resolve the real IPs since it will now show a bunch of Cloudflare IPs. See discussion.
• Use Fail2ban or Crowdsec for additional security for anything that gets past Cloudflare and also monitor SSH logs.
• Only incoming port that needs to be open now is SSH. If your provider has a web UI console for your VPS you can also close the SSH port, but that’s a bit overkill.

You can obfuscate your location with a reverse proxy. The biggest problem with self-hosting is what can get compromised if they get access inside your network as opposed to a VPS. Keeping up to date on what is publically facing for vulnerabilities starts to become a chore.