Actually, I should reconsider my position on this after reading this:
http://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma
I am not sure how nginx reacts to that, but according to you Francis, you seems to be inline with Chris Shiflett that neither is safe nor insecure. They are pretty much the same thing.
Under one circumstances, can you think of a way to exploit when using $http_host?