User apache only needs read access except under special conditions, such as a script that needs to store configuration in a file. And a lot of apps store their state in a DB so they don't need filesystem write access at all. Set the permissions as strict as possible, so that if an attacker finds a bug in apache, he does as little damage as possible.