Yes but that’s a framework specific issue. And usually your documentroot would point to a directory below that which holds .env. Oh the memories of apache and php.
The mere concept of a "document root" is a problem though and a major footgun if you don't know what you're doing.
Every other language acts as its own web server which wouldn't even be capable of serving files even if you tried; the only thing it does is respond to web routes defined by the application.
This eliminates a whole chunk of security issues, from the one described above to malicious file uploads (PHP is probably the only language where a malicious file upload leads to RCE by default - other languages could happily accept and serve the malicious file back but wouldn't execute it).
> The mere concept of a "document root" is a problem though and a major footgun if you don't know what you're doing.
A non issue though after 2-3 days of working with this approach. All modern PHP frameworks have a so called front controller (an index.php file) that loads what it requires from ../ after, ideally, properly validating the request to avoid issues.
Some frameworks in the old days of PHP relied on .htaccess files to restrict access to unwanted files. Properly implemented frameworks would load everything from a directory above the documentroot to avoid these issues.
Every other language acts as its own web server which wouldn't even be capable of serving files even if you tried; the only thing it does is respond to web routes defined by the application.
This eliminates a whole chunk of security issues, from the one described above to malicious file uploads (PHP is probably the only language where a malicious file upload leads to RCE by default - other languages could happily accept and serve the malicious file back but wouldn't execute it).