You can either point the first proxy to the second proxy, or point it to the backends directly. Depends if you have firewalls in the way that stop the VPS proxy reaching your backends directly; or if that internal nginx instance is dong anything clever like handling auth, adding headers etc. etc.
In your instance I’d more likely have the VPS locked down and unable to access my internal resources and just open up its access to my internal nginx instance. Therefore chaining proxies would be my approach but there’s no right or wrong.
Normally fine but if you want to be more careful about what is being pushed to your server you can use something like diun to get notifications and run updates manually.
Personally I love dockcheck, which I think is by a guy on the sub. I tend to just run that every now and again and be done with it unless I am notified of a perssing update, although I do still have a couple of things I don’t care too much about just auto update with watchtower.