[Security] Compromise recovery

I am trying to wrap my head around how to ensure that a redeployments code is pristine after compromise.
But it seems to me that code and data is not properly separated in the official docker images or I am doing something wrong.
I was checking if the official docker images check their code parts’ integrity after launching a new container with previous data volumes. But from first and second glance at the launcher there is no integrity verification. Apps seem to be verified in a later stage, but only if integrity metadata is present. If not it fails open.
Is there a canonical way to clean up a nextcloud docker environment post compromise or is this not considered at all.
Because running a public instance, it will sooner or later be compromised and I’d rather be prepared to deal with this sooner than later.
Recently one of my deployments had suspicious behaviour and investigating if its a real compromise or just bugs took me way longer than I’d like because I did a new deployment and manually ported all the data.

Am I just dense or is it really that way?

Why do you think that? Basic hardening will go a long way. If this is a primary concern, perhaps consider forcing such data into a Nextcloud over VPN.

You could setup a backup system and deploy through ansible.