sites/default/files contains compiled PHP stuff, config and file uploads. We didn't want to burden people with creating more than one webserver writeable directory. My plan was that once #1856766: Convert file_public_path to the new settings system (make it not configurable via UI or YAML) is in to revisit the topic and move uploads one directory "in", ie. sites/default/files/uploads, sites/default/files/config, sites/default/files/php. David Rothstein has a similar but not identical proposal in #1967118-9: Figure out recommendations for Drupal 8 deployment challenges:
I think this is a big problem, and the default configuration doesn't make much sense to me for any site (small or large). Why should code, configuration, and user-uploaded files all live in the same place? This could cause security headaches too, since it encourages backups of all those things to be mixed together (even though you might care a lot more about the security of your code + configuration than you do about user-uploaded files, which are already public).
Would it be possible for the default configuration to look more like this:
sites/default/files => user-uploaded files
sites/default/config => configuration files
sites/default/code => compiled PHP code
Sites with multiple web servers would then be instructed to have the first two in a shared filesystem but the third one not shared.