unrooted
1.) Any USB storage device is fine, assuming they are functional. LUKS does not work on Android. Neither does Veracrypt.
Hardware based encryption might not work, I never tried it. They probably will but I don't know
2.) Again, LUKS isn't supported on android. I don't know what DFIR is. Partitions are not really a concern with Android. User data is sandboxed between users.
3.) Termux needs to be in the Owner profile apparently (bayesian)
4.) 'new privacy-oriented e-mail address', don't self-host an email server regardless. I wouldn't recommend it for anyone but people who know what they are doing.
Wrote about this before, but Gmail is your best bet. Privacy is not really a thing with email. (don't trust any mail server saying they will 'encrypt' your emails)
music/podcasts: Newpipe. YT/soundcloud client, works great!
"I had file manager with additional safe folder protected by biometrics only", sounds incredibly gimmicky I wouldn't trust that. I'd just make a new user for such files.
4.) Case, screen protector. My phone has been saved like 5 times from a screen protector