If you use the root /var/www directive, it will go to /var/www/.well-known/acme-challenge/secure/
If you use the alias /root/www directive, yes, it will go to /var/www/secure, but then, if you do that http://"public"/.well-known/acme-challenge will go to /var/www instead of /var/www/.well-known/acme-challenge/ and that's dangerous (and the certbot webroot plugin won't work).
You can of course use a different path, like this:
location /.well-known/acme-challenge/ {
root /var/www/acme;
}
and then
certbot --webroot -w /var/www/acme