This has been corrected in the current installer, and I’ll tell you how to fix it for your already installed machine(s). You’re absolutely on the right track, but there’s one bit missing (which you also are on the right track about, but for ColdFusion).
First thing is to setup Virtualmin to add Apache to the new domain group. Set this in the Server Template(s) that you use, in the field labeled "Add Apache user to Unix group for new servers?" setting the Apache username to "apache".
The second step is to set Virtualmin to create the appropriate “locked down” permissions that you’re using: 750. This goes in the field two down from the one mentioned above, labeled “Permissions on website subdirectory”.
To fix it for your existing domains, pull up the Users and Groups module, and edit the apache user. In the Secondary Groups multi-selector, select all of your virtual domain names (each new domain gets its own group, and Apache needs to be a member of all of them).
ColdFusion is a much harder problem, because adding it to the group opens up the hole all over again (unless it has a SuExec style wrapper like Apache), and so you might as well leave it just as it was to start with (actually this problem is much worse, if ColdFusion also needs write permissions). I don’t know enough about ColdFusion to make any kind of useful statement–we’re working on ColdFusion integration to some extent, and we’ll address this, if possible, once we understand it better.
Anyway, all installs from a week or so ago on already have this permissions and group setup enabled. It is quite a bit tighter, and a good recommendation for all hosting servers–whether running Virtualmin Professional or GPL or no administration tool at all.
Oh, I should also point out that it isn’t particularly insecure in the old way. Just not as locked down as we’d like. Writing into others homes was prohibited, and scripts and their output could be locked down as tight as desired (and presumably all scripts that generate sensitive data would have locked it down without having to be told). This just adds a layer of privacy on top of security. It means that users cannot “see into” the public_html directory of other users. Definitely a good thing, and it would be easy to make a mistake that could lead to security trouble with the old setup.
Next step, a real isolation model. Not sure how we’re going to achieve that yet, but it’ll be in there in a month or so one way or another.