It should all be explained here. But this in particular belongs to the community documentation, which will be migrated to the forum soon so I guess its just a matter of explanding this post you’ve already done. Do you mind if I turn it into a wiki post so I can contribute as well?
I also moved your notes about the firewall rules setting to a “hardening” section, since it seems more advanced. And I wanted to ask you what that part aimed to achieve. If it is DNS hijack protection, doesn’t the wireguard config enforce it?