Ah then I just realized, it probably does have access to all nginx log directories, because nginx needs write permissions to them anyway, right? Now I really want to go double check all my permission setups...
It depends on how nginx is designed. In theory you could separate log writing into a different process, and drop those permissions from the worker process.
Or just write to stdout and have systemd handle the logging for you, that'd work too.
Or just write to stdout and have systemd handle the logging for you, that'd work too.