by Ken Task.
In
https://docs.moodle.org/403/en/report/security/report_security_check_preventexecpath
"You should also explicitly set the relevant paths in your config.php file such as: $CFG->pathtodu = 'PATH'; $CFG->pathtounoconv = 'PATH'; $CFG->aspellpath = 'PATH'; "
One can lock a site down sooooo much that it looses functionality. Guess one has to assess the risk and then decide. I, for one, reason saving backups outside of moodledata as better than in the sea of files moodledata/filedir/ and thus am willing to take that risk .. which I believe to be minimal.
As long as your web service is not vulnerable to *remote/no login required* cross site scripting ../../../ kinda thing, then?
My 2 cents, of course!
'SoS', Ken