Apache/2.4.41
PHP 7.3.10

I had to comment out

Header always set Referrer-Policy “no-referrer”

Header always set X-Content-Type-Options “nosniff”

Header always set X-Frame-Options “SAMEORIGIN”

in /usr/share/webapps/nextcloud/.htaccess

to get rid of the warnings in NC17

Because it’s already set in /etc/httpd/conf/extra/httpd-default.conf (for all my sites)

This wasn’t the case for NC16

Did something change here? Did I do right?

Same here with Debian 10.1 / Apache 2.4.38. Here the header is set in
/etc/apache2/conf-available/security.conf
The statement in .htaccess should be conditional, so it is only set when not already present.

Header setifempty X-Content-Type-Options "nosniff"
in .htaccess does the trick. It works whether the option is set in the apache config or not.