The statement Collabora weakens you security is really theoretical - this container does not permanently store any data (yes some attack vectors remain e.g. drop miner or DDOS drone bots) - but exposing Nextcloud with your data is more dangerous.
And yes you must allow access to both Nextcloud and Collabora instance from every location the client could reside. If you follow the references I provided and understand how WOPI protocol works you will se why…