After a lot more research, I am finally starting to begin to understand how Traefik works. 
I managed to get the desired behavior with the following setup:
I removed all shenanigans from docker-compose.yml, and added the following to the dynamic config:
routers:
domainRouter:
entrypoints:
- websecure
rule: "Host(`mydomain.com`)"
service: dummy
middlewares:
- domain
tls:
certresolver: production
catchAllRouter:
entrypoints:
- websecure
middlewares:
- catchAll
rule: "PathPrefix(`/`)"
service: dummy
priority: 1
tls:
certresolver: production
domains:
- main: "mydomain.com"
- sans: "*.mydomain.com"
middlewares:
domain:
redirectregex:
regex: "^https://mydomain.com/(.*)"
replacement: "https://mydomain.com/${1}"
permanent: true
catchAll:
redirectregex:
regex: "^.*$"
replacement: "https://mydomain.com/${1}"
permanent: false
This accomplishes the following:
- The main domain is redirected to a custom URL
- Any subdomain that is not explicitly defined in docker label rules get redirected to another custom domain.
@bluepuma77 thank you for nudging me in the right direction!