I was going to answer what you say, but before doing so I started fail2ban again and did some more tests.
It turns out that it is blocking absolutely all connections. I have Nextcloud and Jellyfin through npm. I can't access either of them, neither from the local network nor from outside.
However, if I connect from outside with wireguard I can access both services. I'm not sure what conclusions to draw from this, can you think of anything? The wireguard network has a different network range than the local network, it also has its own iptables rules.
What is evident now is that it is not an issue related to the Nextcloud AIO container. The fact that he was found yesterday in Detained status must have had some different, unrelated cause.
I think all this is too dense for a Tuesday 
As I said, the fail2ban block happens to all docker containers because the action line in the jail is triggered on the DOCKER-USER chain. action = iptables-nft[type=allports, chain=DOCKER-USER], and since all docker containers operate on the DOCKER-USER chan, the ban applies to all of them. This is not a bad thing when an ip is hammering on your server looking for open ports, as it will block that ip address from everything docker related.
Perhaps you have gone too aggresive with your 1 week bantime, not allowing anything to get unbanned in a reasonable amount of time? Even my nextcloud lxc, which runs it's own fail2ban only has a 3 hour ban triggered by 10 failed attempts in 12 hours, while my NPM fail2ban is a 3 hour ban triggered by 5 fails in 30 minutes.
I have it set like this because the NPM fail2ban will stop hammering, but the nextcloud fail2ban watched the nextcloud logs and also checks for "Trusted Domain" errors.
This all too a little bit of trial and error to get levels that would catch malicious activity, but not cripple my server, and also why the posted guide has sort ban times.
If it is only access to one host config that is causing the bans you could get very specific by editing the logpath lines to point to specific logs and excluding the one that is triggering the bans, or a better solution would be making a different jail and matching filter for each host log, enabling you to have different maxretry/findtime/bantimes, but the bans would still be applied to the DOCKER-USER chain, when a failure occurs since it is all docker related,
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.2.0/24
chain = INPUT
action = iptables-nft[type=allports, chain=DOCKER-USER]
logpath = /var/log/default-host_*.log
/var/log/proxy-host-*.log
maxretry = 5
bantime = 10800
findtime = 1800
[nextcloud]
backend = auto
enabled = true
port = 80
protocol = tcp
filter = nextcloud
maxretry = 10
bantime = 10800
findtime = 43200
logpath = /mnt/ncdata/nextcloud.log
action = iptables[name=nextcloud, port=http, protocol=tcp]
Display More
The question is, what is triggering the bans? Is it something on your server or is it hammering activity from the outside?