That is not an easy question to answer.
Nextcloud is an application. The code is as safe as you can reasonably expect and not much is different between the community version and the enterprise version. In fact they are the same.
However a working Nextcloud instance is more than what is provided by Nextcloud. it is dependant on middleware components, network layer and Operating system. Any of these each needs to be configured and optimised for security to stay reasonably safe.
In regards to config and php files, then any PHP file except the OCC is meant to be reachable. However some can only be read/executed if you are authenticated and others only if you are a specific user. The config file is placed under a subfolder, which cannot be browsed from a browser, if you have followed recommended setup of you webserver. Using PHP-FPM can add a little bit extra security to your setup as then it is not the webserver or any webserver module which reads or executes the backend files, but instead the PHP-FPM deamon.
Truth be told, then no matter where in your servers filesystem you place a file. If it is needed by the backend application, it is reachable by the webserver or PHP-FPM engine.
Follow best practices and almost any popular installation and configuration guides, and you are reasonably secured. There are some guides that goes to the extreme for security aswell.