[diarrhea]

You can run it behind a reverse proxy. It won't serve anything on the naked IP, the correct host is required in the http request headers.

I've been very happy selfhosting Nextcloud (and many others, including Vaultwarden). There are very few hits that even land on the login page, and essentially all of them only probe for /wp-admin or similar paths, then promptly leave me alone once all those probes return 404.

And then there's 2FA if any actually targeted attack ever materializes. Since it's entirely unknown what's inside the Nextcloud instance, there's no clear economic benefit (aka potential benefits are entirely uncertain, the instance might be vanilla). So I'm certain there's very little reason for anyone to actually try hard enough to achieve anything at all. Keep your system updated through the normal means and you're golden.