ProcessWire doesn't output any 501s, so those are most likely getting sent from the web server before PW even gets a chance to boot. If you were running Apache, I'd say the first thing to look at would be mod_security meddling in requests. But since you aren't using Apache, maybe there's something like mod_security that is blocking certain patterns/combinations of requests that it thinks look suspicious? That would be my best guess anyway.
Your best guess is a good one. It was a mod_security problem. It only started happening after the host switched from Apache to LiteSpeed so I made the leap it was an incompatibility with litespeed but it may have only been a result of how the server was configured. They commented out the mod_security rule and things went back to normal.