Bismark
The only permissions I have for using next cloud app for file db sync are network, notification and scope for a single folder as I wanted one set manually for local copy initially but found with cache sync and bkup copy it was not necessary. I could literally setup next cloud app with only the network permission. Now maybe if you wantbto fully use all the comms etc features obviously it would need more. But its only use for me is DB sync. That is until Proton gets its software worked out for live sync. The free host I use right now is good cloud and has worked fine. But I will change to proton unless I can figure out the VPN issue with home network has hosting. I would never connect to any home network host without VPN regardless of my DMZ and port setups.
I want to selfhost on my nas adding a cloud app but only if I can connect thru my gateway fw VPN. I would never feel comfortable port fwd the ports need for cloud app to work directly to my NAS server even with it being BDS based. I think fw VPN software is more vetted and tested that the complex code of cloud software with its numerous comms abilities. The issue of VPN with android is you can only run one. As I use a VPN for all my std net use away from my home network its an issue then to have a live connection to my self hosted kp db file