This should answer most, if not all of your questions.
It's important to remember, that you should rebase to the same DE to avoid issues. Although there shouldn't be any data loss when rebasing, a backup of your files is recommended.
Edit: Forgot to write, that these principles apply to all atomic distros. But depending on the distro you're using, the rebasing commands might be slightly different. So always look on the documentation of your distro.
I'd prefer that notifications are blocked by default (should be opt-in instead of opt-out). The only apps I NEED notifications for, are messaging apps, everything else is just annoying.
I don't want bloatware and Google services on my phone. I want to install magisk modules and use root. If a phone doesn't allow unlocking bootloader and doesn't have decent custom rom (or GSI) support, there's no way I'm buying it.
You can use an OTP Generator like Aegis Authenticator from F-Droid. Afaik it even works offline, so there should be no risk if you strictly keep it offline.
https://docs.bazzite.gg/Installing_and_Managing_Software/Updates_Rollbacks_and_Rebasing/rebase_guide/
This should answer most, if not all of your questions.
It's important to remember, that you should rebase to the same DE to avoid issues. Although there shouldn't be any data loss when rebasing, a backup of your files is recommended.
Edit: Forgot to write, that these principles apply to all atomic distros. But depending on the distro you're using, the rebasing commands might be slightly different. So always look on the documentation of your distro.