Well what do you know.
Nextcloud generates its own config file when you first log in and add the database. It defaulted to the local address but doesn’t add a config entry explicitly for this. It does add a URL rewrite entry (which gave me a clue) but I had to manually add:
'overwritehost' => 'nextcloud.example.com',
once I did, the URL remained as the external one when entered AND https worked as expected.
other config entries that may have contributed or at least helped (in case someone else sees this):
putting my external domain as the first entry (0) in the “trusted domains” list
updating the overwrite.cli.url to the external domain
together those entries are:
array (
0 => 'nextcloud.example.com',
1 => 'nextcloud.example.house'
),
'overwritehost' => 'nextcloud.example.com',
'overwrite.cli.url' => 'https://nextcloud.example.com',
So this did turn out to be a nextcloud mystery more than a caddy mystery, but I really do appreciate you sticking with me to find the problem and at least rule out what it wasn’t so I could figure out what it really was.