Thanks @qrkourier. Your reply is hugely appreciated.
I'm leaning towards frontdoor keeping ssh via zrok available for each of my deployments. And then zrok web proxy and drive alongside my docker compose "stack" for each of my deployments.
I have a concern which has been bugging me for a while. It is that each of my app deployments will have the same zrok account secret token available somewhere on the deployment's host machine in plain text. And typically the host machine is a VPS in our clients' infrastructure, i.e. our clients have root access to those host machines and could sniff out the access token if they knew where to look. Which would mean they'd be able to retrieve the keys to the kingdom (access zrok shares for all my clients'). Of course, I could use a different account for each our my deployments, but that would make it harder for me to manage on my side.
This shares some similarity (sort of) with this post: Compromised tokens.
I guess I'm asking for general views on this concern and the way that I'm using (or thinking about using) zrok. Maybe there's a way to "flash" the token into and then out of the host machine, so that it doesn't sit there. Any other ideas?