It's a misconception that (A)GPL source code should be publicly available.
GPL family mandates source code access to people who can access to the software itself. So as long as ICC gets the source code of the NextCloud EE and the Guard app, the GPL is fulfilled.
This is how RedHat operates, and is not a violation of GPL.
Also, this is how you can build a business around GPL. You only have to provide source code to people who buys your software, or you can sell support to it.
But presumably, under the GPL, someone who obtained the source code, perhaps by paying for it, can freely publish that source code, and non-disclosure agreements are void.
GPL family mandates source code access to people who can access to the software itself. So as long as ICC gets the source code of the NextCloud EE and the Guard app, the GPL is fulfilled.
This is how RedHat operates, and is not a violation of GPL.
Also, this is how you can build a business around GPL. You only have to provide source code to people who buys your software, or you can sell support to it.
Another example: Rock Solid curl [0].
[0]: https://rock-solid.curl.dev/