Depending on what services you want to give access with, I have had great luck with an ultra cheap VPS
https://lowendbox.com/blog/1-vps-1-usd-vps-per-month/
Then I host my edge services on a container and use an ssh tunnel to the remote host which gives me an ipv4 and any port forward that I want.
For example I have my reverse proxy inside my network and my VPN server then I use a command like:
ssh -R 8080:localhost:80 public.example.com
Which would forward publicip:8080 to localhost:80
Read more here: https://www.ssh.com/academy/ssh/tunneling-example.
I use autossh to keep the tunnel alive at all times.
https://www.harding.motd.ca/autossh/
This is an ultra cheap way to get any ports you want and self host the whole thing. The remote VPS also doesn’t get any extra access to your local network and doesn’t initiate the connection so it doesn’t have credentials for your local network
This confuses me a bit, technically nextcloud is just a PHP script that only runs when you actually perform a page request.
If you don’t enable the Cron then it does even less than a normal install.