Thanks for reply.
In case client is just a browser then it will send all the cookies with NGIX domain which means that NGIX will send all the cookies to backend server irrespective of who initially set it in set-cookie header.. This could be a security issue then.