Can you elaborate on the specific threats you're thinking of?
I'm picturing a WordPress environment where all the source code owned by root with R+X permissions for www-data and nobody else, and an "Uploads" directory owned by root that has R+W for www-data with no X.
So assuming we have locked down permissions but still running a vulnerable plugin; we still have code execution and can ex-filtrate secrets via Uploads or create symlinks or upload malicious payloads. We just can't use the webserver to change code. You could still steal credentials that give us access via other means.
By being able to modify executable files on the webserver, an attacker can add a backdoor through a security hole quite easily. Without, he could just make use of the security hole as of itself.
I'm picturing a WordPress environment where all the source code owned by root with R+X permissions for www-data and nobody else, and an "Uploads" directory owned by root that has R+W for www-data with no X.
So assuming we have locked down permissions but still running a vulnerable plugin; we still have code execution and can ex-filtrate secrets via Uploads or create symlinks or upload malicious payloads. We just can't use the webserver to change code. You could still steal credentials that give us access via other means.