Note that the external nginx brings something else valuable besides the static error page: Correct attribution of source IP addresses for IPv6 users. If your forum is accessible via IPv6, and you do not use the external nginx configuration, everyone accessing your site via IPv6 will show up as coming from a 172.x.y.z local address. This doesn’t help when you are trying to deal with malicious site users like spammers!
It’s exactly the same for adding new plugins.
I think that it makes it easier to update because you know that your users will be made aware of maintenance and just wait for it to finish.
The one thing I can think of that you want to be sure of is that you have certbot correctly renewing your certificates. That’s built into the default configuration that doesn’t use external nginx, but if you use external nginx, you also have to use external certbot and have to make sure it is set up to renew your certificate. And not all ways of installing certbot handle this.
Note that the documentation you asked about says:
If you installed certbot from your package repository, renewals usually happen automatically. Otherwise, set a reminder to run
letsencrypt renew && systemctl reload nginx.service before your certificate expires!
Setting a reminder is not a good way to do this, though. You’ll inevitably forget, and if you miss an email from letsencrypt warning you about the expiring certificate your site will quit working. Fortunately, this is easy to work around.
If automatic renewals aren’t set up, here’s how to do it.
Create the file
/etc/systemd/system/certbot.service with these contents:
ExecStart=/usr/bin/certbot -q renew
Create the file
/etc/systemd/system/certbot.timer with these contents:
Description=Run certbot twice daily
Then tell systemd about the new files.
# systemctl daemon-reload
# systemctl enable --now certbot.timer