The problem is fully solved. Indeed it was NOT an issue of Hestia or firewall but of Seafile.
For those who are interested:
By default Seafile installation binds to “127.0.0.1:8000” in file gunicorn.conf which works with further configuration of Nginx as HTTP proxy but not with direct access via port 8000 (http://cloud.my-domain.xyz:8000).
However, accessing Seafile by port 8000 is the out-of-the-box configuration which is decribed in the documention as immediately working after installation.
In other words:
If you want to access Seafile by Nginx HTTP proxy (which is the best and common way, I admit, because you want to use secure https), than leave everthing in Seafile as it is and configure Nginx as proxy following the steps of the official documentation.
If you want to access Seafile directly by port 8000 (e.g. because you use VPN, like I do), than change file /seafile-install-path/seafile/haiwen/conf/gunicorn.conf like that:
[...]
# bind = "127.0.0.1:8000"
bind = "0.0.0.0:8000"
[...]
Since I have installed Seafile always with Apache proxy before it’s the first time I faced this issue. Seafile installation process should be changed or better documented.