You can set notifications so you know which container are updated recently. If that container stops working, then just revert to previous image.
And configure when watchtower should run the update. I set mine to update at 8pm, so in case something breaks, I still have a few hours before bedtime to fix it.
I like blocky adblocker (https://github.com/0xERR0R/blocky). It is easy to configure using YAML file and also easy to backup.
You can setup Wireguard VPN server. On your phone, set the VPN DNS server to your adblocker IP and set on-demand connection to only connect to VPN when it is not connected to your home network.
Asus router with merlin firmware have an option called “global redirection” that can force LAN devices to use specific dns server.