hAP ac2 (Disable Wifi function) should be enough for your usage. (hEX should also suitable but CPU will be a bit weaker)

What is your budget? If below rm1k then get the latest new model RB5009 equipped with 10Gbps SFP+ FTW. Otherwise you can get a hEX S, or hAP ac2 or hAP ac3. But it would be a waste since you already got your own Deco AP, get an RB5009 instead it is using native RouterOS v7 already and support WireGuard and ZeroTier also!

Already got mine, but can't test yet because my main router has builtin AP inside it so I don't want to disrupt my family's work since they all wfh and using wifi. Am waiting for y U6-LR haven't reach yet. 

I know right. Being a network admin/engineer is the lust and urge to watch the logs and also the data transfer rate haha 

1. if i am not wrong,u need a pendrive / external usb ssd/hdd drive for docker related services
2. With Wireguard protocol yes,but the speed might not be able to hit the max speed with your internet plan. (And while utilize high speed with vpn,your router cpu usage will also be high due to vpn data encryption)
3. Use your current Asus TUF AX5400 as Wifi AP,the processing power stress will be lower for both device. (Or you can place both on different place with connected ethernet connection)
4. Yes,routeros does support this kind of wifi setup.

I have RB5009 as main router (router, capsman, vpn) and ax3 (containers & 5Ghz wifi.) and ax2 (2.4 & 5Ghz wifi) as APs  Not sure how a single ax3 would fare if everything is on it.

1. Docker so far working quite reliably. I have AdGuard Home, UptimeKuma and Lego on the ax3. Using a USB3 thumb drive for container storage.
2. Main RB5009 router set for NordVPN, VPN Unlimited and Zerotier. Seldom use the VPN though so can't say much about it.
3. I use ax3 and ax2 for 2-storey house. Coverage pretty good. 2.4Ghz active only on the ax2 for IOT and legacy devices. ax3 is 5Ghz only, covers back of the house (up & downstairs). ax2 covers the front (up & down)
4. Multiple SSIDs no problem. Can set to your heart's content.

Before I got the ax3 & 2, I used Deco M9 Plus and then X20. Also tried TM's DLink for a week or 2 which was pretty good. Don't like and have never used Asus for many years already.