With just a couple of caveats, yes, unfortunately every internet-facing installation needs not just STUN but also TURN.
Strict Firewalls
This would presumably be firewalls/routers that don’t enable UPnP hole-punching. Since that’s enabled on most consumer routers by default, you’re probably right that it doesn’t apply to your case. It’s worth checking for if any of your users are on a business network, though.
Symmetric NAT
If you are running an internet-facing installation that isn’t exclusively IPv6, this most likely applies to you. Regardless of whether your server is behind NAT, nearly all of your users will be. WebRTC is supposed to let the clients connect directly to each-other, but with NAT in front of each user, that’s pretty tough to do.
See this excellent how-to on the forums for more information. If you’re using the Nextcloud VM, there’s also the script they mention in the README you linked.