Idk about giving a comprehensive answer, but getting full marks on the nextcloud security scanner is a good start: https://scan.nextcloud.com/
I check mine periodically and make sure I’m on the latest version, use 2fa (passkey) and hope that does the trick.
Also there’s a plugin for brute force protection.
Yes. mine is exposed publicly (with fail2ban) on a VPS with a public IP and a public DNS name and it’s fine. Use a minimal configuration that meets your needs, use secure passwords like you would for any public service and keep it up to date, and stay aware of any potential news that might make you aware of any severe and widespread vulnerabilities in the future (there haven’t been any in Nextcloud so far). It is not nearly as terrifying as people make it out to be to share public services on the public internet. Most decent software is secure-by-default. Yes vulnerabilities and attacks can happen but they are the exception not the rule.
There’s a lot of discussion on a very recent post about doing this for Jellyfin. You should start by reading that: https://discuss.online/post/40181742
