What does try_files do in this nginx configuration?

try_files does not tell nginx to serve the static file. Reaching the closing brace in the absence of any other operation causes it to serve the static file. try_files tests for the existence of the file in the local file system and may rewrite the URL.

So try_files $uri =404; is one of a number of common tricks to overcome a particular script injection exploit by ensuring the the PHP file is a real file before sending the URL to the upstream interpreter.

Why do you think it should? Nginx documentation doesn't say anything like that.

Checks the existence of files in the specified order and uses the first found file for request processing; the processing is performed in the current context. [...] If none of the files were found, an internal redirect to the uri specified in the last parameter is made.

As long as the file is found, the request is processed normally, i.e. passed to fastcgi. Otherwise a 404 will be sent.