Well, how many money and time you got? Hardening a system is more than enabling
ufw or changing the root login to key-only authentication. It starts on physical access, over to the software components used, and the capabilities and experience of the admin who’s maintaining it.
How secure mailcow is? Probably as secure as your base OS, Docker and all the container OS images, Postfix, Dovecot, SOGo, PHP, nginx, rspamd, etc are - including any security vulnerabilities which aren’t known yet or might arise in the future, which are out of mailcow’s control. So it’s not a question which can be answered that easy.
One way to harden it? Probably not mixing up different applications like mailcow and Nextcloud on a single system 🙂