I’d say that you definitely want self-managed!
For the managed solution someone at your hoster has root access to the machine and, therefore, also to all the keys that are on there. Even if you follow the air-gap solution by the book that is still a risk.