@lukasbestle , thank you for the answer.
After what you quote, the article also says:
Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for ‘r57′ for an example of what such code can do.
If a web app needs writable directories, it’s often better to have those outside the DocumentRoot: that way the uploads can’t be accessed from the outside through a direct URL. Some applications (WordPress for instance) support this, others do not.
I would say he does not affirm that is ok to make folders writable. He says this is a risk, and needs to be done with "care and consideration" but, what does constitute "care and consideration" when dealing with a Kirby installation with panel and everything ? I can either give apache write or not do it, what else?
The author also says that "If a web app needs writable directories, it’s often better to have those outside the DocumentRoot" and mentions that WP allows this. Can this be done with Kirby? Would this be something Kirby would consider relevant to add to project?
I am of course not trying to say Kirby IS unsecure, at all. I am neither an expert at all. But as apache-savvy people has insisted this IS actually a threat, and articles as the one quoted here insist on it aswell, I am trying to understand the risk better and possible workarounds