Yes, by default windows launches UAC prompts in the supposedly isolated “secure desktop” instead of the classical “interactive user desktop”.

It is not necessary for the attack and was used to illustrate the vulnerable app manifest configuration.

You’re right to be reluctant to apply everything by hand. K3s has a built-in feature that watches a directory and applies the manifests automatically: https://docs.k3s.io/installation/packaged-components

This can be used to install Helm charts in a declarative way as well: https://docs.k3s.io/helm

If you want to keep your solution agnostic to the kubernetes environment, I would recommend that you try ArgoCD (or FluxCD, but I never tried it so YMMV).

I guess the network will be a bottleneck on Garage too. If you want high performance you might need a hybrid solution, like clustering of stateful apps on local storage as well as periodic full backups on a distributed storage.

Longhorn is pretty easy to use. Garage works well too. Ceph is harder to use but provides both block and object storage (s3).