Can I just suggest that the chmod of the docroot of 711 makes other websites php scripts able to run shell commands and see website content of other vhosts.

I installed a r57 php shell for testing and ran basic bash commands from there and was able to guess file names and cat the contents. Changing this to 0710 fixed it. I see that you have a setting inside the control panel to select 'Network Filesystem', so perhaps this needs to be selected if someone needs this workaround with 0711 for NFS (even though it's horrible security wise).

Ideas?

I agree that we should add a config option for that. Beside that, in the master branch, there is support for chrooted PHP-fpm also. This feature will be officially available in ISPConfig 3.2.