First of all, thanks to all who replied! I didn't think there would have been that many people who self-host a SSO-server, so I am happy to see these replies.
As a side-note, I have also been looking into making the setup more robust, i.e. add redundancy. For a "light redundant" senario (not fully automatic, but -say- where I have a 2nd instance ready to run, so I just need to adapt the DNS-record if it is needed), can I conclude from the "makeing a backup" question, that I just need to run a 2nd instance of postgres and do streaming-replication from the main instance to the backup-instance ?
Or are there other caviats I haven't thought about?
Well, the issue here is that your backup may be physically in a different location (which you can ask to host your S3 backup storage in a different datacenter then the VMs), if the servers themselfs on which the service (VMs or S3) is hosted is managed by the same technical entity, then a ransomware attack on that company can affect both services.
So, get S3 storage for your backups from a completely different company?
I just wonder to what degree this will impact the bandwidth-usage of your VM if -say- you do a complete backup of your every day to a host that will be comsidered as "of-premises"