My 2 cents ...
config.php has nothing but variable definitions ... cannot be rendered by a browser. The only time it can be acquired is in the case where you PHP is broke.
Then one could acquire the file via wget. But, even then, there are protections in MySQL itself - host/user/password. if DB server is localhost and only localhost - then that uses a socket connection ... not typical TCP/IP MySQL Port access.
That means a hacker would have to gain access to server to be able to use those credentials. If they can do that ... you've got more trouble than you know.
Permissions/ownerships to config.php need only read ... not write. File can be owned by root but must be viewable to all for moodle to function.
Obviously one would not/should not use DB credentials that are also root user for the operating system ... that would be dumb! ;)
And a question ... when anyone accesses your moodle, do they see anything at all or are they forced to login to see anything.
Even if you do that ... there is at the very least a session cookie.
Understand your concern, but there is such a thing as being overly concerned.
Like I said - my 2 cents.
'SoS', Ken