With external storage, we still relay all traffic from cloud storage, through our instance and to the client. This means incurring significant bandwidth and processing power at our NextCloud server.
Since most cloud storage providers already offer an S3-compatible API to create a signed URL, or some form of auth token that our client can include in the header to request the file directly from the cloud storage provider, this seems like a logical thing to do.
This way, our NextCloud installation can be used as the frontend/authentication server that maintains assets for the UI (e.g. filenames, metadata, cached thumbnails, etc.) without needing to serve large transfers.
Instead of getting cloud storage with NextCloud preinstalled, managing authentication locally would be preferred and more secure.