I don’t have any guide (haven’t looked for one). The concept is simple:
Configure Wireguard server on the VPS.
Connect to server using your router/home firewall as a client (I believe you’ve done this already).
Configure nftables or iptables to forward traffic coming from a certain IP/port through your VPN connection to your router.
Since you have hosted your proxy at home, that’s where TLS termination happens, which means your traffic is encrypted in transit (NAT does not decrypt packets). So yes, you’re (in theory) safe from the VPS provider.
I believe there are ways to encrypt one’s RAM on a VPS but you likely don’t need it here, and that might be beyond the scope of this discussion anyway.
Cheers. I was given this idea by another person on Lemmy, I’m just pushing this wonderful idea forward.