As the main reason to finally drop the script was the block of nextcloud updates, .htaccess files should also be writeable/owned by webserver user, as they are also shipped with updates.
It blocks upgrades beacuse the permissions isn’t as safe as with root:www-data. So it’s actually worse to not use strong permissions. In the Nextcloud VM we solved that by making our own script for it: https://github.com/nextcloud/vm/blob/master/nextcloud_update.sh
Funny to search for a thing on the web and end up in a NC forum topic where the last comment is of yourself already asking the same question you (again/still) have today: priceless.