The main switch is a stack of Cisco 9300's. In the attic I have two Cisco IE 3000's. One of the IE 3000's has a PoE (802.3at capable) module on it. The module is not cheap at all and would likely break the bank. The IE line stands for Industrial Ethernet and it is designed for harsh environments and the hottest I saw my attic this summer was 114 degrees. So I was well within what it could handle. One switch is dedicated to IPTV and the other is for the other items; like a My Q gateway feed via a PoE splitter, a Kevo Plus (also feed via a PoE splitter) but I also use the IE 3000 for non-gigabit connections. No need to use expensive mGig ports for fast Ethernet or in the case of the My Q gateway, Ethernet (10 Mbps). I also have TV's, Roku, FireTV, alarm system and RS-232 to Ethernet devices connected to it since they primarily fast Ethernet devices. So the 20 fast Ethernet ports on it is fed via 2x1Gbps connections; so no oversubscription issues.
My advice since you're building. I built my house about three years ago and I paid for conduit to be put down walls and then ran my Cat6a cables after closing. This would allow you to get the cables for the cameras down the wall with ease. The conduit they used was fiber conduit; so corrugated plastic. I easily got six Cat6a cables down them with room to spare. I'd guess about 50% full. In the TV areas; there is one that goes from the attic to outlet level on the wall. The second goes from that same outlet level area (so double gang) up to where it will be behind a TV. This way even HDMI cables and the like can be hidden. This also allows me to loop cables in the double gang box up the TV for the TV and a FireTv plugged into the TV. I just wish Amazon offered a PoE USB adapter; this way it could be powered via PoE. For your front door, I would also run an Ethernet cable down to it along with the doorbell wire. If you ever wanted to go with a video doorbell, you could go with a DoorBird and tie that into Blue Iris and probably SecuritySpy since the stream is directly accessible and ONVIF compatible. Also at the ringer you could do an IP chime; so that would be another ethernet cord there as well. Really easy to run when there is access and a pain when there is limited access.
Your approach mimics mine. You could buy an Intel NUC to run Blue Iris on and then just have external storage on it or use your NAS. The other option for a Mac would be SecuritySpy. I'm mainly Mac based but Android phones. I do have Windows Servers for 802.1x wireless authentication; so I use the AD portion and bind the Mac's to AD. I don't know what mac you have and if SecuritySpy would handle the cameras; but it is something you could look into.
The major upgrades to Blue Iris is the regular price; even the regular price is cheaper than the upgrade that many of the competitors offer. He does sell a support plan which includes major upgrades.
The mid tier is half the price of the license and it is for one year. So even if you don't buy a support plan and need to spend $60 every few years for the major version upgrade, it isn't that bad. SecuritySpy upgrade pricing is 35% off the full retail price.
I would say Blue Iris is still cheaper even when you have to pay full price for major upgrades. It is not like they are released every year. Keep in mind that Blue Iris is Intel centric and not AMD. So if hardware encoding/decoding is required; it will work on an Intel box, not on the AMD. NVIDIA GPU's are also not supported. There are hardware boards that can be added though. In 2020 things will get interesting when Intel releases their standalone GPU and I would expect that Blue Iris will be able to support it to offload transcoding to it. Until Intel announces some details, who knows though.
Blue Iris also supports Android and iOS devices with an app. So you would have your mobile access.
Since you're also a Mac person, Indigo is a Home Automation system that runs on a Mac. There are plugins for Blue Iris and SecuritySpy.
Looks like you have some decisions to make. Another location for your switch, the garage. Depending on where you live; it would not get terribly hot or terribly cold compared to an attic.