I'm using ZIP format for backups of an app. Size is probably from 10Mb to 2Gb. Amount of files inside might be up to 10k. I wanted to add a password protection but found out that both ZypCrypto (broken scheme) and AES (suggested by WinZIP, uses SHA1 + 2000 repetitions to generate a key from password, uses ECB) are either broken or outdated.

So here's my scheme for analysis:

1. Ask a user for a password and generate a key using PBDKF2 (600000 repetitions as per OWASP, SHA256 with random nonce)
2. Compress each file individually with brotli and encrypt using AES-CBC with per-file random IV.
3. For each file IV is stored and for the whole ZIP nonce is stored. Also for password validation I store the last 128 bits of a hash which is not used for encryption.
4. Disable ZIP compression as it doesn't make sense here

Compression ratio and speed is good enough for me. But am i doing correct with encryption? Should I use GCM?

Yes I know both from encryption and compression point of view it would be better to compress and encrypt the whole file at once. But I still need random access to ZIP contents so the container is kind of important.

Yes I know it is non-standard and files can be extracted using only my software and I'm ok with it

This is very similar to AES-256 scheme of WinZIP but they generate a key for each file individually with a different nonce but with a weak generator.