Hello @pipe2devnull,
welcome to the Nextcloud community! 
I think most of your concerns or confusion results from “SSL termination” - where your reverseproxy is handling TLS and your application only uses plain http. yes it is fully valid setup and you can learn details in 101: reverse proxy
the protocol itself is IMHO secure enough for most istallations (there many links in Collabora integration guide - dive into the rabbit hole for details) - if you add your router as allowed IP it is more or less the same as “allow everything”. it’s not as bad to fix connectivity issues as this IP address level protection is simply another security layer - but under the line it’s the same and keep un-configured (and live with the warning).