There was recently a presentation about whether or not it's safe to let the webserver write to your document root:
http://www.pcworld.com/businesscenter/article/209860/how_default_app_ins...
This is something I've heard our community go back and forth about. I'd like us to come to a more solid position on the topic.
He also cites granting more mysql permissions than necessary as a mistake (one we avoid, though we could be a bit more strict...do we need the permission to drop tables, for example?).