That might help if nginx has a security vulnerability. But what about all the programs I run as a user? Nobody runs their IDE or “npm install” under separate user accounts. Nor should we have to in order to prevent a package from interacting with my filesystem outside of the project directory.