maybe this service doesn't take that approach, and somehow manages to always create a new file

It's fairly common to create a new file, then rename it to the original name, since that guarantees there is never a partially written file served up.

(If the directory has the appropriate group ownership, and its "set-group-id" mode flag is set, the group ownership of the file will be set automatically, and the file creation process only needs to set group write access.)

Setting an appropriate umask may also accomplish this, depending on the code.

This is a really clever solution; I didn't realize that the setgid bit would let the Web server user create a file owned by a group it wasn't a member of, but a small test confirms this. I can think of tons of places to use this. Thanks!