TL;DR I got nginx working so that it will allow certain IP addresses and/or subnets (for example guest Wifi) to access a set of limited-functionality OpenHAB sitemaps.
Admin-level users coming from authorized IPs and/or subnets can see the full set of available OH sitemaps, including sensitive ones with administrative & global settings, etc.
With this setup a necessary separation between regular users & openhab administrators is achieved.
NB: my production setup is still on OpenHAB 1.8 but I see no reason why a similar nginx setup wouldn’t work with OpenHAB 2. Will update this post if/when I migrate to OH2 and get nginx working there as well.
See this discussion:
https://community.openhab.org/t/hiding-a-sitemap-from-non-system-admin-users-oh-1-x/20434