Well for a traditional web service your only exposed service is something like NGINX. So yes it makes the vuln. in say NGINX more severe but the attack surface is pretty small. Also the only users that have access are SRE or equivalent who have root access anyway. (I am not arguing that there is no downside just that it's fairly limited in a traditional scenario)