Great info here but I have a few things to add.
Would advise using S5cmd over S3cmd. It is 100x faster. Does not support sync (don't worry, they have an alternative command/method for this, read the docs) but the initial upload takes a lot less time. This is important if you are running an install with 100k plus users on it, each user generates 5-6 files so over half a million 1-2KB files. You will want S5cmd for this!
If you are using Cloudflare, make use of their features. Even more so if you are using BackBlaze, no bandwidth charges!
Use a CNAME to proxy your S3 bucket.
https://help.backblaze.com/hc/en-us/articles/217666928-Using-Backblaze-B2-with-the-Cloudflare-CDN
As your URL will include the bucket ID, and the bucket is public, hide it and make the URL look pretty with Cloudflare workers!
https://jross.me/free-personal-image-hosting-with-backblaze-b2-and-cloudflare-workers/
AFAIK BackBlaze B2 does not have access control, unlike most other S3 providers. With access control, you can have a public bucket, but whitelist Cloudflare IP addresses so that no one can crawl your public bucket. Randomize your bucket names anyway! No need to share the bucket name with anyone when you proxy the traffic...
If you use Xenforo to proxy the traffic, you can set your bucket to private anyway.
Hopefully, Xenforo devs can come up with a solution to have public and private attachments delivered separately so one can use S3/proxy to deliver all public attachments while proxying only private attachments via the forum. Just saves on requests hitting the forum server more than anything but also a big save on bandwidth if you are hosting many images and video.