I always go 
when I see requirements like:
" those thermostats shall not try to access internet, or should still function when beeing blocked by my pfsense firewall"
combined with
" optional: should be controllable via siri"
You are OK with sending your voice to the cloud to control things but nothing else?
I can’t answer all of your questions but I can address some of them.
- Zwave is probably a good choice but not the only choice
- The transceiver is called a controller. It does a whole lot more than just sending and receiving messages.
- I would be surprised if the thermostats have external thermometers. But OH is designed such that it doesn’t matter where a sensor values comes from when you use them in your Rules so you can add extra thermometers and use those to drive your heaters.
- Heating Boilerplate - A Universal Temperature Control Solution with Modes