It depends on what services you wanna expose to the internet and how much would it worth it for a hacker to get in. Is it just like Nextcloud or ssh as well? Is it ‚just‘ some personal data or are there top secret federal documents saved on it?
In general. You should always disable UPnP in your router to prevent any port openings you did not intend. Only open single ports when you really know why you need to.
Nextcloud behind a swag proxy is already pretty save. It comes with pre-configured fail2ban and other protective stuff. I have never seen someone trying to get in. What I see are regular scans of WordPress or phpmyadmin setups and queries trying to make php execute code.
If you wanna expose ssh as well, use another port for it and forbid password authentication. Public key auth only. You could also setup a honeypot on default port. There are some projects out there. Just google it.
Those things are minimum. If you want more than that you could think about making your services accessible via vpn only.