Your router probably includes a basic firewall, and as long as you close all ports that don’t run public services, that should be good enough for basic protection.
Yeah, I agree. There are also other reasons, like using a device with a useful size and shape (like Raspberry Pi).
I second that. Just to be sure: You mount your data, config and apps via cifs from your NAS over the network? So every request for data has to travel your home network from Nextcloud-machine to NAS? I have no experience with cifs mounts, but could imagine that these can be performance bottlenecks as well, especially if the network is in between (even more so if your desktop server is connected via WiFi) … I’d try putting the machine running Nextcloud next to the NAS serving the data and connect both via ethernet cable and see how that works.