It’s impossible to fully protect yourself, even a 0day vulnerability was discovered and using secure boot (encryption keys in uefi, self-signed bootloader, encrypted partitions) they allow you to replace the bootloader and steal partition encryption keys from the owner.
But it is possible to make the task so expensive that it will only be dealt with in a targeted manner.
* It is better to keep your services on hardware that is completely available to you and not on a virtual machine, since a virtual machine gives a hoster a lot of opportunities for free.
* you will have to raise the hypervisor yourself, so that the hoster does not do it, it is more difficult to raise your hypervisor in the simulation, and this can be tracked by a benchmark
* partition encryption, not even discussed
* modify grub and the bootloader in the initramfs in a non-trivial way, change the method of booting and controlling the system (meaning booting over the network with entering a password to an encrypted disk via ssh)
unfortunately the bootloader is the weakest part of protection, replacing it with his own (modifying yours) an attacker can introduce a stealer of passwords, encryption keys, etc. into it, and the actual method of detecting it will determine the cost of hacking.
Changing the boot process will require the attacker to disassemble your code, this is a huge job, which can be further complicated if the bootloader is new (obfusified in a new way) each time. Of course, the initramfs and vmlinuz files should be downloaded over the network, there is nothing for them to lie with the hoster, anyway, they should be different every time (grub can tftp / http, don’t care that it’s an unencrypted channel, it doesn’t matter here).
Additionally, enter process control in memory in the initramfs, if something changes (other sizes of memory areas in / proc / pid / smap for example) then sound the alarm / send on the wrong track.
* if possible, any activation of the server must be performed only personally (trusted person) using a special bootable USB flash drive (which does not have all the necessary information, but which allows the owner to connect remotely and enter it, for example, from a laptop right there)
* the latest amd has some memory encryption, just for virtual machines and hoster protection - AMD SEV, I also saw a discussion and patches for qemu in which memory encryption was simulated - the performance will certainly be below the baseboard, but the hot reload trick with a memory dump will no longer work.

3) what to do with the possibility of dumping the RAM, which at this wonderful moment contains the entire axis with all the sensitive processes in open form?

Nothing.

2) can somehow really rebuild linux so that it does not have a login through the local console from the word at all, but only remotely via ssh? and all that remains is to somehow monitor all the inputs to the server, receiving notifications in telegrams.

Some hosts allow you to disable the local console completely and leave only the SSH connection. Yandex cloud, for example.

I'm not my mother's hakir with paranoia

About mom's hacker xs, but there is definitely paranoia)

It also seemed interesting to do all this not even with the system itself, but with the docker, so that you can safely run the container on any axis and even having access to the axis it would be impossible to get access inside the container (s). Is it real?

Docker is process-level virtualization, so no)
If you don’t trust providers so much, then you need to build your DC)

but how to prevent the hoster from looking into my project?

No way. Without being able to control the equipment, you cannot do anything from the word at all. Having your server in a DC - you have some opportunities, but everything will depend on the cost of the project - the more attractive your project, the more funds will be allocated for hacking it.
On a regular shared hosting, you are nobody at all and there is no way to call you - the hoster comes to your homework at any time as to his own home.
The VPS has some features such as disk encryption etc - but the hoster takes a snapshot of your machine at any time and slowly dissects it. Snapshot tools work at the hyper level, the machine will not track them.
There are even more opportunities on Dedicated - you can easily protect yourself from most under-kakers, the problem of untrusted downloads remains, but again - if the cost of the project exceeds the cost of implementing it, they will also make their way to Dedicated.
A 100% guarantee is given only by our own server room (or DC) with round-the-clock surveillance and security. Which is completely consistent with my usual principle - if you do not control iron - you do not control anything.

Ask yourself why a hoster needs to look into your project.
To answer this question - to work in the hoster's TP and understand that you don't need to look into each of the thousands of virtual machines ...