Yes, that's pretty much it. I'm also looking forward the release of Coolify v2 - seems it's going to bring a lot of goodies, such as cronjobs and backups. I'm really excited about it! May be worth waiting a few weeks.
I haven't heard of aaPanel before, just checked it and it definitely has some interesting features! The nginx WAF plug-in caught my attention
We wish 
Using a PaaS (like DigitalOcean App Platform or Heroku) would probably be the most worry-free to host a NodeJS app, followed by a proper shared hosting with NodeJS support (cPanel, CloudLinux, SSH access, NodeJS support, JetBackup, nginx or LiteSpeed, and maybe Immunify 360* or BitNinja* to handle attacks).
* no personal experience with those
Heroku is too expensive for me. I've never tried DigitalOcean's App Platform, but I figure it's a safe bet. I've also used Clever-Cloud before, which initially had some reliability issues but I think they've fixed them over time as some fairly big companies are using them.
I've actually considered (and I'm still considering) developing a proper shared hosting (PaaS/CaaS) for NodeJS/MariaDB/PostgreSQL/Redis given my past struggles finding a proper worry-free hosting solution. To date, I've not found a proper shared hosting for NodeJS with all the goodies (e.g.: Postgres or Redis).
If you can setup your NodeJS project on shared hosting, that's the most affordable way while having a minimally managed solution. The more expensive alternative is going for a PaaS.
For more exotic projects you can use a PaaS, for more standard projects you can use regular shared hosting. I think once the project is setup on shared hosting it won't mysteriously break. Just pick a shared hosting with cPanel, CloudLinux, SSH access, JetBackup, nginx or LiteSpeed, maybe something with Immunify 360* or BitNinja* - it's hard to find a proper provider with all these things!
* no personal experience with those
Edit: For cPanel shared hosting, I recommend a reseller account, to separate projects. Otherwise, they'll all run under the same user, which could be a security risk if one app is compromised