Hey, glad to see you got it semi-working now. For the keyboard config inside SDDM, I know of arch instructions, but it should work the same on yours. The package to install for the virtual keyboard might be different, but the config file for SDDM should be around here ( says to make it if it doesn't exist)
https://wiki.archlinux.org/title/SDDM#Enable_virtual_keyboard
The specific package on Debian seems to be this one. Try installing it with all dependencies needed-
Again, what can they tap or see into that they couldn't before? All info on the other servers is public, that would be true for any federated server. I really don't get how they'd get any more access to your data than another random person on the internet seeing your profile. They're not making their own instance available to make accounts on, or enable users to post on it directly. You aren't giving them any more details than you would if you had a Twitter account that was public. It is quite literally just for official government information dissemination without being locked behind rate limits.
Surveillance? In what sense, here in particular. A bit confused. Also, it depends on the kind of private instance you mean, since this is private too, in the sense you cannot make accounts on it. What other benefit do they gain over people, using this over a corporate website?
Try and see if the settings application shows the onscreen keyboard as enabled or not. Should be in All settings- Virtual keyboard. If it was working on the lock screen it might just need some setting to change. Are you on X11 or Wayland? That might also be a factor, if it stops once it switches display servers.
Which distro are you on right now? It should have it, at least there is one on mine. Think it's called maliit-keyboard.