Thanks @giacomo for this reply!
I have used Nethserver wiki to tweak my Nethserver thanks to this post - Help documenting Nextcloud performance tweaking.
I agree that I would like to see these tweaks applied by default.
I also use this site to confirm my Nextcloud is patched and secure - https://scan.nextcloud.com
With the tweaks applied by the Nethserver wiki, and keeping my Nextcloud on Nethserver fully upgraded I can achieve a rating of A from scan.nextcloud. The only hardening I’m missing to achieve an A+ rating is cookie injection (_Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies).
I’ll definitely join to help out in any way I can.