No, snapctl doesn’t work this way. You cannot call sudo snap get snapname foo without having something set foo for the snap, first. However, in the case of the Nextcloud snap, snap configuration is abstracted away from the rest of the snap by shell functions. For example, this one. When it’s called, it uses snapctl get <whatever>, but if that doesn’t return anything, it then sets its default values. As a result, the first time the snap fires up, it runs snapctl set for all configurable things and sets them to their default values.
The Nextcloud snap existed long before hooks, so some of this is historical. Today you can use e.g. the install or post-refresh hooks to set initial values, etc.
I’m not sure about the documentation to which you refer here, but you’re right: there’s no need to duplicate the config unless what you’re snapping can only operate on, say, a text file. It’s fine to rely on snapd to store your config.
This is just good old permissions. If your app is a service, it’s running as root, in which case you can simply ensure the config file is owned by root, chmod 600, and you’re good to go. Unfortunately, if it’s not a service, then you have no idea who will be running the app, and you can no longer use 600-- you’re essentially requiring that the world must be able to read this file, which may not be the best idea.
I don’t believe this is well-documented, but it’s validated here, so essentially lowercase alpha-numerics and hyphens.