The --nginx plugin includes both an authenticator and an installer. The authenticator works pretty much exactly as you described above. The installer is what modifies your nginx configuration with the ssl_certificate directives and 301 redirect etc. If you don't want that, you can use
certbot certonly --nginx
which will just use the authenticator to get the certificate without making any permanent changes to your configuration. In that case you'll still need to configure nginx manually to install the certificate, and you'll probably want a --deploy-hook to reload after renewal.