Hi @SamPorter1984,
My recommendation would be to use the proxies as is with OpenZeppelin Upgrades Plugins and use a multisig for the upgrades admin, ideally with multiple team members.
I would be very cautious with custom proxies due to the risk of adding a vulnerability or managing to lock yourself out. I would recommend appropriate (100% coverage) testing and auditing if you do go down this path.
For governance you could look at the discussions on Ideas for Snapshot voting integration with Defender Admin.