No modern operating system with secure installation will ever allow a file that is executable to be writable by the web server… This can be done…
A noble approach but far from reality. A simple example: How should a remote update, the installation of plugins or themes work in such an environment you describe? With strong crypto, code signing and mandatory security audits for all community plugins and themes? Hardly feasible. And even then, the updater would have to write executable code (namely PHP in our case.)
Another example: let's take Wordpress. IMO it's a good measure simply because it is by far the most successful CMS.
Take a look at Worpress' Theme Editor (many other web CMS have similar features). We do not allow such editing of PHP files because we would call that an authenticated RCE.
In contrast to Wordpress, Typesetter will never allow direct access to PHP files from the admin user interface (regardless of set admin permissions). None of the PHP files that Typesetter writes to the /data directory is an entry point. They all instantly die if not loaded by a running Typesetter instance. This sets Typesetter significantly apart from WordPress in terms of security IMO.
If Typesetter was (re)written today, it would probably go a different path.
There is an experimental setting in /gpconfig.php to use JSON files instead of PHP. It's experimental for several reasons - worth a different topic.
To sum it up: Typesetter had extremely few serious security vulnerabilities in its history. Way less than most other CMS I know.
I personally had no security incidents in the past 8 years. Over 100 websites, no incidents.
The most recent WordPress hack I've been dealing with was just 2 weeks ago.
So Typesetter can't be that bad.
edit: Have to correct myself - seems as if the JSON option was removed again from gpconfig. Some remains here and here
Edited: 4 weeks ago