I would go with the separate AP route unless your firewall device is conveniently located and want to add a wireless card to whatever firewall box. You’ll need something new for wireless anyway once you plop the firewall in front of the modem.

Used enterprise APs can be good value. Unifi is super easy, reasonably priced, and you can run the controller/management thing as a container on your proxmox for localamagemrnt. Then probably ly anything supported by OpenWRT you can find cheap. Their hardware db might be helpful for comparing models/features in general.

Power for AP can use a poe injector at the switch or AP side of the run. Or whatever power adapter (many “APs” still have some DC power).

Cable runs along baseboards is fine. You can get cable channels and have it look super neat. Way cheaper, there’s little nail in cable rings for exactly that too. Pick a cable color that matches, or paint the channels. If there’s decent coax run all over the house, you could do adapters to avoid a cabling job.

Some random (GMKtek?) N100 dual nic thing runs my opnSense (VM on proxmox) at 1Gbps throughout, through I have minimal filtering applied now. I haven’t tested wireguard/VPN throughput or anything heavy though.

Switch you need anything managed for the VLANs. “Smart” or “Lite” I think get thrown around a lot too for basic managed. If you’re into labbing, again the used business/enterprise can get any range of features. Just have to deal with the noise/power/heat.

Edit: run pihole or adguard home as a container, then have that as the dns given by the current router/dhcp. Should help with filtering until you have something in-line.

OpenTracks, OSM Dashboard, OsmAnd+ worked for basic stuff for me.