If you go server route (and NAS), make sure it is in a locked closet. Ideally, it'll be concealed to appear as something else but the fact it locks would be a giveaway it contains something important. Regardless, you do not want employees having access to the physical hardware.
Encrypt...every...single...drive. Encrypt all backups, local and cloud. At least if something does get stolen, it'll be difficult for the criminal to gain access. Once the drives are encrypted and pulled out of the machine they're associated with via a TPM, it becomes very difficult to unlock/decrypt.
Minimize network switches, and use gigabit. The cost is so insignificant anymore that it makes zero sense to use 100 meg switches. Do not use hubs, they slow things down relative to switches. As a result, make sure you have enough available network runs to each location. My general rule is four, but no fewer than two.
A NAS is fine for data storage, but they differ greatly in performance (read/write speeds), and security. Make sure any storage device you have is either RAID 5 or 10 (I'm a RAID 10 person, at this point in my life--storage is cheap, data loss or data recovery is not). Do you need a full sever? Depends on software you use, whether or not you want to use Exchange and Active Directory, etc. I do not have a full-fledged server, nor do I ever plan on it, and have absolutely no issues with alternative systems and services I use to achieve same end results. Biggest benefit to a server, in my mind, and ignoring what software or virtualization needs may be, is Active Directory--it can be very nice to control user accounts from the server, though server CALs are a PITA to deal with (and expensive).
Network equipment, servers, NAS devices, etc, generate a lot of heat. Make sure they're all on robust battery backups and have ventilation.
Quickbooks does not care where the files are located. If you have a multi-user license, it will handle it properly, and all Quickbooks installs are local, anyway. With multi-user, it automatically locks out certain functions that require single-user mode. If you are logged in as Admin, since about 2012, there have been ways to kick users out if they stay logged in. More recently, a timeout can be set though it is much too long for my preference.
For most small companies, I think servers are overkill, particularly if Active Directory and Exchange are not utilized. In fact, then they're just overpriced data storage devices, since you can easily build a Windows 10 Pro PC to be robust enough to host ANY software you need, including over a network.