Your hosts will also use SLAAC to determine their permanent 'management' address, that's the one you use for connecting _to_ them.
The 'management' address won't be used as the source addrrss packets originating _from_ the host unless the use of temporary/privacy addresses is disabled.
As a matter of fact I'm an "enthusiast" already, but since I was using the HE tunnelbroker I was banned from several services, I'll have to get a VPS with a /56 or smth and wireguard over it. I'm a bit uncertain still about MTU so I'm thinking about just fragmenting stuff on 1500 and take the penalty hit (still can't get v6 in most of residential Sweden)
Given the number of addresses available in a /64 IPv6 subnet, pick a value to statically assign to it and use that. If you have a SSH bastion host / jump box, perhaps pick ::22 as the end address part.
A friend assigned ::25 for the service vIP of his SMTP server/process, and ::143 for IMAP. Your web(mail) host could be ::80 and/or ::443. All on the same host (if you wish). If you have an HA setup you can have the vIP failover by using (e.g.) keepalived.
You can have a public prefix address, as well as a local 'private' ULA address at the same time. In some ways I wish the best practice would be for IoT devices and appliances (like printers) only have link-local addresses, and perhaps ULA if advertised, with global addresses only configured via config switch. It would perhaps allay some the concerns that people have (like you do).
The 'management' address won't be used as the source addrrss packets originating _from_ the host unless the use of temporary/privacy addresses is disabled.