Thanks for the kind words.
1) proxy_pass should use the host_ip:port for bridged containers and IP:port for any other service that may also be on a remote machine, but I have a feeling you're using macvlan (docker container has its own IP) and if that's the case, macvlan blocks connections between the container and the host (and any other container or service that is using the host's IP) as a security feature so it won't work.
2) If you're referring to incoming connections, then they all should go through letsencrypt reverse proxy. If you're referring to outgoing, then I'm currently putting them on macvlan so they have their own IP and set a LAN rule on pfsense to route their IP (source) through the WAN gateway. But I only have a couple of those (duplicati and rclone) and I don't/can't reverse proxy them due to the macvlan restriction I mentioned above.