It can run in a container, a virtual machine, hosted on a cloud instance or whatever. Nowadays, you have infinite choices for isolation. One of my colleague runs it in a DigitalOcean droplet and nothing else.
A quiet media server at home and VPN is what does it for me. That solution is not for everyone but someone could start making pre-built images or media servers with nextcloud. I believe FreeNAS and the like already have nextcloud as an app option.
If you want to run your file sync client in a container, I think that limitation alone removes a huge amount of value from a low-friction file sync tool.
Isolating for security is a totally different topic. We talked about pinning the application to a specific version, and I suggested that it can be done with various tools, isolating from a bigger operating system where packages would automatically updated and Nextcloud would break after a while. It has nothing to do with security.
Of course you can do security for isolation on top of it any time, and sure, you won't get security updates after a while which would be nice, but there are tools to secure an outdated app in other ways either.
