That is exactly the reason. and is the main difference between Apache mode and Nginx mode in W3TC. The plugin needs to be able to create URL rewriting rules on the fly, and nginx gives them no sane way to do it.
Htaccess sucks for various reasons, but most of the suck can be worked around.
What exactly does it do on the fly? Unless the plugin is running under the same user as nginx's master process, which is usually root, it won't be able to send SIGHUP to the master process and reload nginx.conf. So, nothing can be on the fly here, it's probably just one of those fancy ways to make plugin installation "easier" and create configs on behalf of the user.
Also, there is no reason to start nginx under root on linux, just give the binary required net bind capability and start under normal user.
I'd be interested to see if any web-based control panels are vulnerable in a similar way. All of the client_*_temp_path directives are valid in http,server, and location contexts so you have a lot of flexibility there.
All of the client_*_temp_path behave this way so you can actually change multiple files with one payload.
I am sure there are other ones but I have not had a chance to investigate further. Another commented mentioned this particular problem is in ngx_create_paths so that would be a good place to start looking.
The key is to find paths that happen in the master process, not the workers.
This would make sense if it created those directories, but IMHO it should fail to start if the path exists and isn't owned by www process. The function that does chown() is even called ngx_create_paths().
SELinux does, I don't know about App armour. Dockerized NGiNX will give you root in the container, which will give you root on the host easily. If you run NGiNX as non-root-container, you are better off: You can't escalate. You run as non-root before, and stay non-root.