I am using an AWS Organization managed sub-account, so it's all pretty self-contained to that one account, and I can easily enough terminate that single sub-account.

There's infamously no way to set a max bill amount for an account in AWS, so it indeed has unlimited spending, but I'm okay with a couple hundred bucks a month.

> Hetzner VM with its own user, capable of running rootles podman containers

Why not give it root on the full VM, and not use the VM for anything else? Giving it a user, and presumably also running your own stuff as a different user, sounds like a very weak security boundary to me compared to giving it a dedicated machine.

If you're not doing multi-tenancy, there's no reason to not give it root, and if you are doing multi-tenancy, then your security boundary is worse than mine is, so you can't call me a madman for it.

Not at all. AWS IAM policy is a complex maze, but incredibly powerful. It solves this exact problem very well.