I’ve mentioned this before, but it’s worth bearing in mind that you really can’t trust encryption to anything that runs through the web client. A malicious admin would only have to tamper with the code of the app to capture your passwords. It would be a trivial attack.
Only by using an independent piece of software locally, like Cryptomator, can you have reasonable confidence in the encryption. But that reduces Nextcloud to a fileserver.