My plan is to install the OS on the SSD and use the HDDs for main data storage.
Assuming that your main data storage is not terribly performance critical, that seems like a really good plan. In reality, for most small system usage, the system disk is more relevant to "felt" performance (how long commands take, or how responsive the GUI is) than the data disk. Think about what happens when you edit a file or play a video: You access the data disk once or twice, and the system disk several times (for the executable, shared libraries, shell initialization...). So putting your fast disk on the OS disk workload is sensible.
The one big downside (and my home system has exactly the same issue): There is no redundancy on the OS disk. Should your SSD fail (and you described it as "old"), your machine goes down hard. Now, that is "easily" fixed: Just buy a new SSD, re-install the OS (only takes a few hours or days, depending on how skilled and thorough you are), and you're back online. If you're willing to live with the risk of a minor hardware failure (old SSD dies) turning into a wasted weekend, go for it.
I am considering configuring the HDDs with RAIDZ2 in the zpool.
I like that. It means your 4 disks will give you 2 disk's worth of capacity (an acceptable overhead), and any two disks can fail and your ZFS pool continues functioning, giving you ample time to obtain and install a replacement disk.
In the unlikely case that you are performance constrained on the data disks, I would recommend instead using a 2-way mirror built from 4 disks. Like that you get the bandwidth of 4 disks when doing reads (with RAIDZ2 you only get 2 disk's worth of bandwidth). The price you pay: Only 1 disk at a time can fail. And with older disks, and the high absolute error rates of today's disks, having a pool that can only tolerate a single fault is uncomfortable.
And would you recommend encryption for this setup?
Are there any realistic threats that encryption would protect you from? Is a burglar likely to steal your disks, and then turn the computer back on and try to steal your data? Don't worry about your data being at risk from your computer being hacked (encryption doesn't help against that, since the computer is on and the disks unlocked while the hack is running), and don't worry about nation-state actors. Before you put in the effort required to set up encryption, and the risk of it (what happens if you lose the key?), consider the probability of various attacks and scenarios.
Additionally, I am thinking of purchasing 2 more HDDs. What would you suggest I do if I were to buy new drives?
Having a glass of wine or a beer afterwards, because it is a good idea.
The only problem is: What are you going to do with the new drives? Add them to the existing 4-drive pool? Mixing drives of different capacity and performance in the same pool is usually not satisfying, since the pool will be held to the "lowest common denominator". Create a new pool with just the two new drives? First, that pool will not be very redundant (best you can do is a mirror). And now you have to make the painful decision of what data to move to the new pool.
Here's what I would suggest: Run your new machine for a while, and then figure out what the biggest problem is: Is it lack of capacity? Lack of speed? Insufficient redundancy? No backups? Too much power usage? Then buy the correct hardware to fix the biggest problem. A few ideas: Set up the two new drives (very large capacity, low performance) as a pure back pool. Or buy two SSDs, and a find a way to segregate out the really hot data onto the new SSD pool. Or buy two very large disks (22TB), and find a way to segregate out really cold data (perhaps archives of old baby pictures and videos) onto those.
By the way, my home server setup is 4½ disks: One 250 GB SSD to boot from that has the completely OS install on it, two 3-4 TB spinning disks in a mirror for the data, one 2 TB spinning disk (physically 2m away from the server in a fireproof safe) with the backups. The ½ disk is a joke: There is a spare SSD in the server, and once a day the boot/OS disk is copied onto the spare using dd. And there is are several 1 TB backup disks that are physically stored far away (half hour by car), and updated only every we weeks, as off-site disaster recovery.
