Thanks for pointing this out. I usually rely on the default settings in Arch Linux to handle stuff like this in the default package configuration, but it seems that the nginx package’s [1] systemd service [2] is not set up that way. Maybe it should be updated with a non-root User= and Capability=CAP_NET_BIND_SERVICE directive?