Ansible or other IaC is a great choice. If your needs are real simple, like mine, i put Gitolite on one of my mini servers and i can push/pull from there over ssh.

Malware in the traditional sense, as in a malicious program that sneaks its way onto your machine and runs a dangerous payload, is far far more common on Linux machines with open ports acting as servers on the internet. And even then, I’d wager that’s less than 1% of the malware out there that specifically targets Windows simply due to market share. With that in mind, plain old Fedora will do just fine, especially if you leave SELinux enabled; many tutorials have you disable it if it interferes with apps/services you want to run, but they’re simply being lazy, working around SELinux can be obscure at times, but it’s still worth doing, and keeping it running rather than disabling it.

Malicious webpages and phishing attempts are more likely to cause you trouble on Linux, and the OS can only do so much to protect you there. Securing against those is more about vigilance and wisdom, which it sounds like you’ve got covered honestly!

I’m not sure I’m qualified to answer, you seem to know your security needs but i’ll ask anyway: what are you securing against and why? You listed your security goals, but not exactly why you need them and what you are defending against. Fair enough, but without knowing more details, I’d suggest looking at QubesOS, which specifically isolates apps into different virtual machines. You could also go with security-by-minimality, and roll your own environment with Arch or Alpine (even Gentoo if you really wanna go down the rabbit hole)

I have a lifetime subscription to Filen that I got a year or so ago and have been very happy with, much nicer than Proton Drive in my experience.