A system breach… Oh dear that would be terrible. Of course that’s something I cannot rule out, but I have no idea how to find out if it there has been a breach.
This is what I checked on the Nextcloud Pi server when I was trying to get to the bottom of the issue: NextcloudPi 'spontaneously' deleting files
If it wasn’t the server, but my laptop that was compromised, it happened many, many weeks back. How would I know? I haven’t noticed anything out of the ordinary, except the mentioned Nextcloud behavior.
In all honesty - I believe a bug, hardware failure or bad config are much more likely than a system breach, but I’m more than willing to be proven wrong.