In the PHP environment, the php/ directory (the document root) is writable by Apache. This is generally considered a major security problem. I understand that many popular software packages (WordPress, among others) prefer to have a writable document root, so they can manage their own code. It would be good to at least have that default to non-writable, and allow people to disable the more secure setting at their own risk.
We may not be able to change this due to how the application environment and work-flow are setup. Taking the ticket in to discuss what we can do.
We have a fix planned for this that will enable / disable high security mode. In high security mode, what you're wanting to do (apache not writing to the php/ directroy) won't be allowed. Unfortunately I don't have an ETA for that.
Since this specifies a future feature we're planning that's a ways off, I'm going to close the ticket out as a deferred request.