Nobody can answer such question in general. in such case the security is mostly/completely defined through the Nextcloud server which is exposed to the internet. Your security policy sounds reasonable. AFAIK there was not many dangerous security holes in the past… and all of them where addressed using responsible disclosure so admin had enough time to install fixes in advance before issues became public. but it is the same as with any other application. Depending on the kind of data you store you have to decide yourself if this is safe enough for you.
2 Likes