I think the best solution for you is this (assuming you don't have mission-critical applications...): 2 PVE nodes with ZFS replication + QDevice
Of course, you'll need to consider ZFS's asynchronous replication, but if you manage replication times well for each VM, based on the data it contains, you can minimize the (potential) data loss you'll experience in the event of an unexpected catastrophic failure.
...remember, you're providing a rapid recovery service in the event of an unexpected catastrophic failure, so unless you have mission-critical applications, losing a few minutes of data probably won't matter...
Additionally (...and here I expose myself to criticism...), there's also the option of a "quasi-HA" configuration with just two ZFS nodes (without the qdevice...), but in this case, you expose yourself to the possibility of a split-brain in the event of a FULL DOWN failure.
This configuration is not recommended, but there are a couple of configuration tricks that can avoid a split-brain by preventing the system from automatically booting if a critical condition occurs, waiting for manual intervention by technical personnel who are familiar with managing unexpected failures and (manually) avoiding a split-brain.
If, in this situation, you can afford to wait for manual intervention, then this is a possible option...
We have some 2-node clusters without qdevices that have been working fine for years, and in cases of complete shutdowns (even accidental ones), a careful manual restart has always solved everything.
DISCLAIMER:
...I already know some will say that the configuration with just 2 nodes (without qdevices) is dangerous... I know, I pointed it out above, but it CAN work if you take this into account correctly and apply the right precautions.
Please don't insult me if you disagree...
