Given that the attack vector for CRIME and BREACH is (specifically) compressed content under HTTP/2, wouldn’t use of gzip with Caddy present a security risk? (I’m not going to argue the merits of performance vs. safety, just asking the obvious question about security stance.)
If your web application serves user data or a secret, then you should disable gzip for any web server that’s serving it. Or separate the user data and the secret. Or randomize the secrets for each request. There are server-level mitigations or application-level mitigations. You choose which is best for you.