Since any CMS user can upload files to the "assets" folder and this folder is below the webserver's DocumentRoot there is no way to protect the CMS-user to upload for instance a file "phpinfo.php" with
<?php phpinfo(); ?>
and then call http://www.silversite.com/assets/phpinfo.php to get any information!
With SilverStripe knowledge the ordinary CMS user can manipulte/destroy/query anything!