Hostname can be under any user it really don’t matter how ever it is written so it creates under the admin user if it doesn’t exists…
There might be other security vulnerabilities to be found that gives shell access to the user running php / apache2 or nginx so that is why it always run any user with limited permissions…
It will be replaced anyway in the next major release… As we found that nobody cares about it and ignores the warning anyways… I was an design choice in VestaCP and we carried it over when we forked it but it was a bad decision to start with…