guessing that you're reading point (2) of the link above.
I think that there they're telling that nobody but root - the superuser! - can change or execute any file in the Moodle code directory - the so called dirroot, the directory exposed via HTTP(S) using wwwroot -: that being said, you can make Web Server user the owner without giving it the right to execute files and that is option (b) within the point (2), via Web Server group, which eventually prevents other users to access Moodle code including the config.php file, in which sensitive credentials are stored.
Besides, config.php should be IMHO read-only even for root - e.g. chmod ugo-wx config.php - to be warned when you're changing it via CLI.
Beware that this kind of file permissions setup will prevent Moodle to automatically deploy plug-ins since the code will not be able to create new folders under the candidate "plug-in directory" e.g. /local, /mod, ... . You should always copy the plug-in code via "root", then fixing the file permissions for that plug-in directory and then install it.
Look at a nice post in https://askubuntu.com/a/767534 for some more details about a way to implement a similar policy and some scripting to achieve it.