This is quite normal, especially if your account is sufficiently secure (strong password/key, brute force protection, limited SSH connections by IP, etc.). At the very least, it's no worse than a CMS exploit that would give access with a service account at all.

Usually, the server itself works on behalf of www-data, or rather the php interpreter (php-fpm, if Nginx) and giving this group and user write permissions to all directories is very reckless.
I usually make the owner of the files a specific user who can manage all the files, and leave the group www-data and set its write permissions only for those folders in which files can actually be loaded and files modified by scripts , and in these folders I make sure to disable the launch of scripts (Nginx settings). Only umask 027 needs to be done. If there are several sites, then in the case of nginx it would be better for each site to use a separate php-fpm pool with a separate user group only for this site.
But this is only if it is not possible to use ACLs. If there is, I create a separate group for "developers".