in order to run nextcloud from the network you don’t need to open any port except 443 and 22 (unless you want to login via console, but I suppose you don’t).
This means you have to provide public access to port 443. If you use a firewall that prevents anyone from connecting to different ports there aren’t much differences between public IP address and forward the port 443 of another public IP address to the nextcloud server.
If the attacker found a way to exploit a bug in nextcloud code and gain priviledged access to the server it would be better to be in a segregated network, but I think it will be too late.
So, if you’re worrying about the nextcloud server itself and its contents I think it doesn’t matter.
Instead if you want to protect also the other servers in your network I think you should add a firewall between the network and the nextcloud server, restricting everything you don’t need.
(I’m not even talking about reverse proxy, web application firewall and other expensive solutions…)
Of course if you want to access the nextcloud server via ftp, cifs, nfs and/or use internal network resources like remote storage, ldap authentication, backup servers and so on this is far beyond public/private IP address.
So, IMHO, you can choose almost freely between public/private IP address because you would be adding very little security using a private address.