I talked to the lead engineer on the the NGINX team about this at a conference. I pointed out that any internal redirect (aka FORWARD) will bypass ALL SECURITY CHECKS! (see https://medium.com/@apiexpert/why-api-gateways-are-dead-7c9e324ff70a)

Also, any use of RBAC/ABAC in api application will cause privilege escalation if you do caching in the gateway (see https://medium.com/@apiexpert/api-gateways-not-securing-caches-ff042a399452)

He stated that I was right. This is why NGINX does not push themselves as a GATEWAY.