It is discouraged but with a very strong non-reused primary password for your home instance, you’d be hard pressed to have problems with hackers even if they dump your database. It’s still a better idea to use a hardware key but that’s understandably annoying to carry/use.
One thing you could do is setup a second vaultwarden instance running on a separate machine ideally on a separate network and keep only TOTP connections on it, with its own backups and storage. But that is probably just as annoying.
Yes. It’s a viable way to save money if you use a site like https://shucks.top/