By default the backups should only accessible by the admin user or the owner:
For example:
/home/jaap/web/xxxxx/public_html/b374k-3.2.3/>whoami
jaap
/home/jaap/web/xxxx/public_html/b374k-3.2.3/>cp /backup/admin.2021-12-28_05-13-37.tar ./
cp: cannot open '/backup/admin.2021-12-28_05-13-37.tar' for reading: Permission denied
First of all Running any control panel with random users you won’t trust I would always disable certain php functions as they are know to be harmfull
Question to be asked is this the reposibilty of the server owner or the developers of a software. PHP self does agree it is the reposibilty of the server owner