Tell me if I'm wrong, but I'm not sure that most users on a shared host can delete the file using ftp. Strictly, only www can edit the file I think, and the ftp daemon will only be able to write files which it (or you as a user) have permission to modify. I don't have exhaustive experience of lots of different shared hosting arrangements, though and they're probably all a bit different.
You're quite right to err on the side of security. Unfortunately creating files through the web interface can be a one way street for those on shared hosts, unless they can escalate their privileges via legitimate, or slightly dodgy means like myshell or phpshell. Please put me right if I have misunderstood somewhere.
There may be no easy way to fix this within the install script, although I think the group membership approach might be worth looking at - to do it moderately securely you would have to activate this specifically when installing, and specify the group.
Alternatively you could perhaps provide support for the files written by the install script to be removed through some admin-password-protected operation in a moodle config page (which would then execute as www).
Moving config.php will kill the moodle install until it is replaced, but it won't leave valid moodle site admins with this catch22 on permissions. Alternatively a similar password-protected operation to make config.php file-permissions more permissive might be an option.