your design idea would not work without heavy customizing so data is shared between all the systems (I doubt it works at all) - and at the end the external system still can access the data - what is the purpose of separation? If you goal would be to separate “internal” and “shared” data - how would you achieve this? do you expect the user to copy the data back and forth? trust me this gonna fail…
you can easily deploy Nextcloud including a storage in a DMZ without access to internal resources (but requires storage in the DMZ)… but don’t forget the goal is to store data - if you place your data in the DMZ is it more secure? other way round you could deploy NC in the internal network and access it from outside through a reverse proxy (which could provide additional security).
network segmentation is a common concept from the past… as the requirements and application landscape changed to “always on” and “access from from everywhere” the buzzword changed to “zero trust” today with continuous authentication (e.g. OpenID/webauthn)… at the end the security of the application is key. …and no network segmentation itself doesn’t protect your data… it is just one small fragment of complex security framework.
Nextcloud takes security important and has continuous bug bounty open at hackerone. The application runs many high-value installations like Bundescloud and high-usage installations like MagentaCloud - you could assume it is good enough for people who don’t have spare budget for security and support contract 
I would rather spend time and money on building one performant and secure system (pay somebody who knows the job not only from PowerPoint) apply good security settings, update frequently, setup good backup/restore and monitoring and do a pentest - this will give you more secure and user-friendly system rather just following some checklist…
Start here: How to maintain, check and improve the security of your Nextcloud installation it doesn’t address company needs but gives you ideas to setup basic protection.