I feel strongly that Nextcloud could have communicated far more clearly about these releases. I had to really dig around to find this comment from @Jospoortvliet that explains quite clearly what happened.
And, yes, my concern was increased because the updater doesn’t let me update within the installed release. I see several tickets on that, most of them closed. I couldn’t easily tell whether that’s still considered an open issue.
I guess I’ll go back and refresh my memory about manual updates. But I hope next time Nextcloud needs to do an unscheduled release, they’ll explain much more clearly what it’s for, even before fully disclosing the vulnerability.