I'd also say that there's no reason a user (e.g. the service account for node red) shouldn't be allowed to read the certificate and private key if you set the permissions to allow it, you just have to ensure that only that user gets read permission and not all users.
Not really, it also totally depends on your requirements. Often people have a webserver running anyway, so it's easy to simply add a reverse proxy part to its existing configuration.
On the other hand, if you ONLY require Node without any additional webserver, you might choose a more "dedicated" reverse proxy software like HAProxy. That said, I searched for things like "memory footprint" to see if someone has made a list of reverse proxies with their resource usage, as you could imagine a full featured webserver might use more memory than a dedicated reverse proxy. But I'm simply not sure
I'm assuming this "user" is not a real person who logs in, it's a service that's running, in which case that's perfectly normal. If it's an actual person that logs in then you could debate it.
The point of protecting a private key is that anyone who has it can decrypt the initial conversation between any other users to the same service. So it could be like you're protecting the crown jewels or it could like your protecting the coffee machine, depending on the context
It's common for services requiring access to a private key to start with root permissions, read the private key into memory and afterwards drop permissions to some non-root user level which doesn't have access to the private key or any other sensitive data. This to prevent exploits in the server itself being used to access e.g. the private key.
Actually the service is Node-RED executed as standard user, at least it has been installed from a user "daniele" without sudo but "daniele" can log in, in fact "daniele" is my account and it belongs to sudoers.
So, if I want for Node-RED to access the private key, I need to allow user "daniele" to read it and this is my concern.
I am not an expert but I would not know how to make Node-RED to start with root permissions and then to drop root privileges after having read the private key.
Please advise if this is clear and your considerations.
Personally I would consider it ok to then grant that service account read permissions on the certificate files (including the private key) because it's not an account normal users will login as. I actually don't think root should be used for anything app related (on linux), but that's my preference and certainly many production systems rely on root access somewhere.
There are no rules, there are only best practices for optimum security, but an important part of a best practice is that it should be practical and the relative importance of security (and usually therefore how much effort/complexity to add) depends on the environment you are working in. Some organizations have specific audited requirements for security and you would working within those.
For production systems it depends on the impact of your system being eventually compromised. If this is a development system or home hobby then how much you want to secure it depends on the impact to you if someone else gets access.