Really, I think, there are a few related questions:
- How secure is Nextcloud itself?
- How secure is the software Nextcloud needs to run (Apache, PHP, MySQL/MariaDB, etc.)?
- How secure is the Apache (and other relevant software) configuration in Neth?
- How secure is the user’s installation?
On the latter point, if the root password is “12345”
…the system’s going to be pwned in short order. Similarly, if users have weak passwords, they can’t expect that their data will be safe. This can be enforced, to a degree, by the admin with a password policy, but is ultimately up to the users. So, the real question is points 1-3.
To point 1, AFAIK, there are no known vulnerabilities in Nextcloud, and it’s pretty widely used, including by many major organizations. This carries forward to point 2, at least with respect to PHP (they could be using different webservers and/or DBMSs, but you can’t run Nextcloud without PHP).
This brings us to point 3, which is the only one under the control of the Neth devs: how secure is the default Neth configuration of Apache/MariaDB/PHP/Nextcloud? There are lots of factors in this, of course, and the only one I can speak with any confidence about is the TLS configuration (which is pretty good). AFAIK, Neth is designed and reasonably secured to be deployed as a public-facing web server. If this is not the case, it needs to be fixed. But if it is (as I understand it to be), a system with Nextcloud should be reasonably secure for most purposes.
That’s a long way of saying that I don’t think there’s a reason to be recommending VPNs, isolated networks, or other abnormal measures in the usual case.
I’m not a fan of using non-standard ports, particularly as a security strategy–I figure an attacker will use a port scanner anyway, so they don’t really hide anything. On the other hand, they can cause conflicts or incompatibilities with other software. Now, if you’re stuck behind a user-hostile ISP that blocks common server ports, you may need to do this anyway, but it shouldn’t be considered a security strategy.