What's a "macaroon access file"?
It's like the cookie file in Bitcoin Core which verifies that the user has the rights to execute commands in the lightning node.
For starters, you should try to use a distro that offers you the chance to configure full-disk encryption, at least on the /home folder. That way the VPS provider can't meddle inside without your password.
But, can't someone with physical access monitor the computer and compromise the password?
This is another type of scenarios I'm afraid of. What if their systems get hacked? Even if they are trustworthy in intentions, I must as well trust that they're very capable in securing their systems, something that I can't just do; that's why I'm searching for a way to eliminate them as intermediaries in the first place, but as it turns out it isn't possible.