It depends on the actual server implementation.
While it looks like that node.js started as root will keep these privileges other servers (like Apache or nginx) only start as root and then give up privileges. A typical design for example is to have some master process which binds to the sockets with the necessary privileges and then forks a child which gives up all root privileges permanently before processing any data from the network. This is possible since the listen sockets are inherited from the parent process and the root permissions were only needed to bind the socket to a privileged port but not to accept connections on the established socket.
For example with nginx you will see something like the following:
$ ps -ax -o user,pid,ppid,cmd | grep nginx
root 14746 1 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 14747 14746 nginx: worker process
www-data 14748 14746 nginx: worker process
The first process shown is the master, running as root. The others are the workers started by the master running as non-privileged www-data
. Only these non-privileged workers will process user input and thus in case of a compromise due to some unexpected input from the network only the non-privileged user will be compromised first. Of course, an attacker might then try to do a local privilege escalation using additional bugs in the host but that's a different issue.