Option to have all php files outside of web root.

Traditional Drupal has an index.php at the root folder, and basically everything below that is web-accessible, only protected by .htaccess.
Servers like lighttpd need separate configuration to achieve the same.

Full-stack symfony has only specific folders web-accessible, but all php is outside of web root.
The cost: It needs to dynamically generate symlinks from the web-accessible folder to module-provided resources (css, js, images). The symlinks are created on commandline.
This makes it difficult for symfony to be used by Joe Blogger on shared hosting. But this guy is not the symfony audience, anyway.

(note: This information is from me trying symfony a few years ago. Don't kill me if it's outdated)

For Drupal, we do want to support Joe Blogger, but we also support high-profile sites, where such a change could improve security a lot. So, if we do this, we should make it optional.

The way it could work:
- Make ROOT/sites/example.org/www the web root for this specific site.
- Symlink ROOT/sites/example.org/www/index.php -> ROOT/index.php
- Symlink ROOT/sites/example.org/www/modules/system/js/ -> ROOT/modules/system/js/
- Symlink ROOT/sites/example.org/www/modules/views/css/ -> ROOT/sites/all/modules/contrib/views/css/
- Symlink ROOT/sites/example.org/www/modules/mymodule/my.css -> ROOT/sites/all/modules/custom/mymodule/my.css
- Symlink ROOT/sites/example.org/www/files/ -> ROOT/sites/example.org/files/
etc.

The symlinks would be created with drush, or with a mechanic similar to imagecache (file not found -> create the symlink).

Seen from the web, this would be:
http://example.org/index.php
http://example.org/modules/views/css/views.css
etc

(I also thought about css/modules/views instead of modules/views/css. No strong opinion yet)

The hairy part is probably not the creation of the symlinks, but the rewriting of resource urls all over the place.

Saying it again:
This needs to be optional.

Related:
#1116144: Customizable locations for Drupal core folders (constants DRUPAL_CORE, DRUPAL_SITES)
#1668892: Enable secure compiled information on disk