There are number of reasons why certain scripts or framework php data may reside outside of public_html. For e.g. CodeIgnitor, etc. Currently there exists custom root feature. This does not help because it maps to public_html (hope I understood correct).
I suggest to have public_html as frontend and one system backend dir outside. The structure would be:
The backend will use open_basedir feature and allow sensitive php scripts like framework to work with frontend of all files under public_html, like themes, assets, css, etc. Then, the backend scripts will be included in backups, etc.
I still need to learn Hestia and its power. Pooooh, Hestia has grown to such an excellent panel, far beyond VestaCP. I regret not to have transferred to it earlier…