currently we have the following setup: linux with grsec patches
php with safe_mode=on
safe_mode_include_dir = /usr/share/pear:/usr/share/php
userdirectoriers are created with ownership to user:services
users create files as user:users
If you chmod userdirectory to 700 only the user can get in
Next you need to allow services (apache is running as www-data and in group services) to the homedirectory:
chmod g+x ~
And give access to the directory with website stuff
chmod o+x ~/website
And give read access to the credentials file
chmod o+r ~/secrets.php
Now, other users can't get into your homedirectory because only the user and groupmembers of services are allowed. And only others, thus noone in the users group, can read the secrets.php file..
Thus, if you allow apache to only execute php scripts (with safe_mode) you can effectively prevent reading your secrets files...
We need webservers that can run as the owner of the files

Or run as a different owner per virtual host.. I think this was announced as a feature for apache2 a couple of years ago but it seems to have become very silent on that front...