This is true but to me mostly negates the benefit for this use case. The goal is to offload the auth work to the reverse proxy not to add more rules.
Although I guess you could have the reverse proxy listen both on IP and UNIX sockets. It can then do different auth depending on how the connection came in. So you could auth with TLS Cert or Password over IP or using your PID/UNIX account over the UNIX socket.
