You can significantly drop power draw by lowering clocks and voltages. At the same time you risk making the system unstable. You’ll have to rigorously stress test it to make sure it’s actually stable.

Nothing inherently insecure about RPi in specific. Same rules apply to any device in your network: if you expose services to the internet, you are introducing potential security risks. Does it have to be open to everyone? Should you limit access to specific known trusted clients? Can you use VPN rather than exposing it to internet? Is your authentication scheme robust? What data does the device have access to and does it NEED to have access to all of it?

If your device only makes outgoing requests then your main concern is whether you trust the service its polling.

E5-2690 also has those 14 cores and slightly higher clocks. There may be some Chinese boards and/or bios hacks that allow removing constraints from boosting so that it can boost at max clocks indefinitely, but generally I would not recommend running server parts out of spec. Mainly your options are to buy higher clocking chip, making sure there’s sufficient cooling and maybe using governors that boost more aggressively. I also generally would not recommend removing security measures such as side channel attack mitigations.