Apparently it is safer to run PHP as the user which owns the files rather than running them all as the webserver owner, but does but this not create other vulnerabilities?

In the case of WordPress, for example, the owner of the files (whether you're using suPHP/suEXEC/ruid2, etc, or not [1]) requires rw access to files [2] in order to enable the automatic updates. Surely this means that if a malicious user found a way to upload an exploit, it would be run as the owner of that file and they could therefore completely destroy the site?

I'm not running an environment shared by other users (the sites all belong to me, but the files have different owners), so I don't specifically need to run ruid2 - are there any other ways to have php create files with a specific owner, but still run them with group permissions for apache? (I need this to allow an unpriviledged user to sync with Lsyncd). Would it be acceptable to run chown with a regularly scheduled cron?

Thanks for your help!