opendir() attempts to create a directory resource handle (within PHP) and reports on success or failure to do so. A local attacker could use this to determine whether one of the following is true:
(a) the given directory exists
(b) the given directory does not exist or the accessing user lacks sufficient permissions to determine whether or not this directory exists at the given location.
You can restrict the directories the user can access using the open_basedir setting in php.ini. If you do this correctly, so that the local user can only access the directories she should be able to access, (and thus can use opendir() to attempt to define those as resource handles, and check for their existance), I do not consider this function to have any security implications.
As such, it is unusual if not unlikely that you would restrict use of this function on a default PHP installation at all. Maybe your customer is actually referring to the open_basedir restriction?