@gipsea you are right on nr 2 - we don’t recommend setting these permissions as it has caused more issues than it increases security. If an attacker can replace files with the rights of the web server, you’re in big trouble anyway.
I suggest to stick to default permissions. Nextcloud will automatically set them to ‘600’ upon running the update script.