External storage permissions - local

I read the documentation and I wanted to make sure I understand a few things correctly:

In order for me to be able to use a local external storage then the Apache ID www-data has to have read+write permission on the local folder, correct?

And if so, then any NC user who can see the local external storage will also have read+write access to it and there is no way to prevent an NC user from having write access to the local external storage?

So if I want to be able to control who permissions then I should use an SMB external storage in combination with different user credentials for the SMB share and make it so only certain users can see the share. Right?