as PHP-FPM runs as virtual server user, PHP scripts will have read access to all files under users home directory. User might have SSH keys and/or other confidental details there.
Is there any proper way allow PHP to read only files that are required for the website/app to run? Using
open_basedir shouldn't be acceptable as it disables realpath cache.