Yes, it is intentional. LSWS does on-the-fly log file rotation, it requires a child lshttpd process to reopen log files for writing, the log file owner will be changed to the user that web server running as.
The log file will only be created by the parent web server running as 'root' then change the ownership, the log file directory should be owned by root and other users is not allowed to create any file there. CGI scripts should be started in SuEXEC mode, no CGI script should be able to write to the log file. It is not perfect but should not be a security problem when setup properly.
Logging everything through the parent process could be a solution, but the performance pqnelty is pretty big when many data need to be logged.