Since the files are owned by root, the nginx user (www-data) responsible
for handling web traffic has no ability through a security hole or
otherwise to allow write access to the www files. Therefore, its following
the principle of least privilege.
Looking at it from the other side, if you changed the files to be owned
by the nginx user (www-data), then it might be possible to exploit the
nginx worker process to modify the files that it owns, in this case your