I run all my lab servers/services/etc in their own /16 on my home net. Nothing is publicly routed in over my WAN IP- if I want to expose a service, it goes through Nginx Proxy Manager to my local service via a ZeroTier tunnel.
I would strongly encourage you to not expose any of the *arr services (particularly your download node) to your WAN IP. PIA’s desktop app does a pretty good job of forcing a full tunnel with a VPN kill switch, so you never have to worry about your ISP catching onto what you’re doing.