root /var/www/domain.com/;
# Check if a file exists at /var/www/domain/ for the incoming request.
# If it doesn't proxy to Gunicorn/Django.
try_files $uri @django;
This is fine if domain.com has your static files but if you deploy a standard (instead of your suggestion from another part of the best practices) django app layout on your server it will make any python file, including your settings, available for download.
/var/www/domain.com/
|- manage.py
|- settings.py
|- static/
|- style.css
Obviously this is bad and you should not point the root to your app but i'm betting people will read that tip which they will find when googling and then do exactly this...