Why is the apache user a member of the site owner's group?

SYSTEM INFORMATION
OS type and version AlmaLinux 9.4
Webmin version 2.111
Virtualmin version 7.20.2 Pro
Webserver version Apache 2.4.57
Related packages ?

I’ve noticed that Virtualmin creates new virtual sites with all the files owned by the main administrative user and that user’s group. The apache user is also made a member of the main owner’s group.

I’m asking about this because a security review tool I use (the “Security Review” module for the Drupal and Backdrop CMSs) complains that the web server is able to write to all the core files used by the CMS in the public_html directory. It still complains even after I change all the directories to permissions 755 and the files to 644 (which should prevent other members of the owner’s group from writing to those files and directories).

I tried making apache a member of its own group, making all the files and directories open to the apache group, and removing apache from the owner’s group. This caused the web site to lock up with a “forbidden” error. The only way I could reverse that was to make the apache user a member of the owner’s group again, even though the file permissions were still “siteowner:apache”.

Is the security module’s test faulty, or if not, is this a major security concern? And if I wanted to prevent the web server from writing to the core site files, how could I do that? Thanks!