Ah then I just realized, it probably does have access to all nginx log directories, because nginx needs write permissions to them anyway, right? Now I really want to go double check all my permission setups...
It depends on how nginx is designed. In theory you could separate log writing into a different process, and drop those permissions from the worker process.
Or just write to stdout and have systemd handle the logging for you, that'd work too.
