This seems to be less of an issue with understanding how Nextcloud works, it's more about snaps in general.
Snaps provide their own filesystem and environment, they are not permitted to write on the host system, but they can read from it.
You can think of them kind of like docker images but they are still part of the host system, e.g. share its IP.
The snap itself is immutable, you can mount outside storage into the snap though, e.g. to save files. The configuration of the snaps itself is done from outside the snaps and file storage is achieved with mounting specific folders inside the snaps which the snap can't break out of.
For the nextcloud-snap, see the documentation here:
https://github.com/nextcloud/nextcloud-snap
That all being said: If you want to have it run in a snap or on its own depends on your use case. Are you using this one specific server just for Nextcloud? Is it a VM? What kind of backup solution are you using? How do snaps integrate into the rest of your environment?
If you just plan to run Nextcloud on that one VM/server, native installation is the obvious choice since snaps just create overhead. If you are also using other snaps on the same machine, snaps might be the way to got.
Your security concerns aren't really a reason to choose one over the other though, since again, snaps are their own enclosed environment, only the data is writable. In fact I would even argue that they increase security, as they are also monitored by apparmor.
