Hi, I would like to suggest a different approach here. Seems to me that focus on security kinda sidetracked the end goal.
As I understand it correctly.
You want to have a device, which actually will be deployed and raspPI to play on your travels.
As I understand it you want sent environmental info to your DB.
I would suggest to use HTTPS API.
Your nodes would become ESP32 as that's only what they would be doing. Get temp, hum, etc. and send it to off to server.
As guys pointed out, as soon as you leave it somewhere, it can be compromised. Depends how much you want to invest in research on protecting the ESP32, it might be simple as removing USB connector in your case.
On your server side, you can do a lot, but can start with simple Express server with couple of API endpoints. This would handle incoming data and protect from the rest.
Behind that you can have your Node-Red with another API endpoint for Express app to talk to.
Then you can do whatever you want in Node-Red.
You can have all that running in one VPS in containers. Have Node-Red on not public docker network. I do have that exposed on public internet on random port. So I am able to edit Node-Red flow easy. With amount of data you will be getting from your devices, it should be able to run on very low resources.
One more thing to consider, your MongoDB might not be super awesome for timeseries data. I use InfluxDB for example for capturing time series data.
I understand, where you coming from as I have started similar for my own project. ... Have a node and send to VPS. And after realising all intricacies I end up with docker images (can do auto Let's Encrypt). It took quite a long time to get all together, but you will end up with re-usable framework. So worth it
I would like to thank @TotallyInformation to sum up, what actually happen in real life.