Thanks! This is almost what I was looking for to resolve the __Host-Prefix complaint in the security scanner. The solution for me was as described in that article, adding Header set Referrer-Policy "no-referrer-when-downgrade" to the Apache config file for the Nextcloud virtualhost.
My Nextcloud install has always been as described here,
but was failing the __Host-Prefix check. I don’t understand why - looking at the cookies in the Firefox console, with or without the above change, I’m sent cookies with __Host-nc_sameSiteCookielax and __Host-nc_sameSiteCookiestrict with domain set to mycloud.example.com and path set to /. Also with that change, now I am sending two sets of Referrer-Policy headers in the same request, first no-referrer then no-referrer-when-downgrade (and just no-referrer without the line in the config file).
Wish I understood why this worked and what’s actually changing!