Likely there will be a upgrade documentation like this one for bullseye .

To add some points, that I do:

• Proper logging: So I could realize something unusual is going on
• rootless podman container: harder to escalate privileges and gain root
• Apparmor: same, plus it could trigger suspicious log entries

Don’t feed the troll

Would it not just be the easiest way to put your scripts under /etc/network/if-up.d/? Then they get run once that connection is brought up.