maintenance mode is handled on the application layer - you can not use Nextcloud anymore but all the outdated stack - webserver, php is still available and could be attacked. As you can’t use the application at all I would shut down the webserver to fully mitigate the security risk. but before you think about mitigation of theoretical security risks I would simply upgrade the system 
and in case you are not aware there is a wonderful script for easy php upgrades Php-updater - a script to upgrade php in a safe way
2 Likes