The juju charm does not contain any secrets apart from the initial admin password which is purged as soon as it is accessed through the juju action “get-admin-password”.
It implements code integrity checks as part of upgrade and deploys modifications to the OS in line with best practices for Nextcloud.
The charm never sends any data out from the system which not part of the Juju operation itself.
Please report any security related issues to the repo: https://github.com/nextcloud-charmers/nextcloud-charms