I'm missing the actual self hosted guide where I can use my own hardware instead of a VPS.

Can't you install docker compose on your own hardware and follow this? https://snikket.org/service/quickstart/

They're really lagging on their mobile client updates.

You can use upstream apps instead of their forks, as I do. Zero problems.

Has anyone done a security review of their source code?

It is simply Prosody + Conversations + Siskin [1], so I'd say that many people have had their eyes on their code.

Specific security audits would have to be searched for, though.

[1]: https://snikket.org/open-source/