What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex. For your privately used Nextcloud, you can probably neglect the risk of DDOS attacks.
There are a lot of nice terms like firewalls, anti-virus, end-to-end encryption etc. and if they effectively decrypt and re-encrypt the traffic at their place, everything passes unencrypted at their place. If they scan (firewall/anti-virus) the content, you can never be sure what happens about it (training-material for something, …)
Just for clearity, real end-to-end encryption means (for me) that you only decrypt the data on your own device. Not even the server sees the real data, just their encrypted form. And for HTTPS traffic to your server, you don’t want anybody else see this traffic unencrypted.