BTW - your quoting style is not consistent, making it difficult to see which are your comments and which are in the post you are replying to.
Jerry
I broke quoting somewhere in the thread, BTW here is my main points.
1. one should not be using root ownership for websites to solve permissions problems in website document root. On servers where there are N web developers this is absolutely the wrong way to go (you can't go IMO).
root should only be used for system administration.
security it's not a matter of doing everything as root but in using right permissions and user/group rules.
2. www-data user should have r-x group permissions and unprivileged users (eg developer account) should have rwx (or rw-) permissions and ownership.
www-data ownership it's safe without write permission.
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need to upload in a dir you can tell apache to not execute php scripts in there or force file type to text or prevent POST request from untrusted ip, etc etc.... and you'are done.