When possible, your production sites running ProcessWire (or any CMS) should ideally be in a dedicated environment. This doesn't necessarily mean a dedicated server…
Rather, it means any environment where the file system is dedicated only to your website(s). Meaning, there aren't other users on the same server that can potentially see (or worse, modify) the files of your account(s) on the same server.
This dedicated environment could be a dedicated server, VPS, cloud server, or even shared hosting where accounts are completely jailed from one another. If in doubt, inquire with your web host about whether or not your environment is dedicated and/or completely jailed from other people. Typically, the budget hosting accounts are not dedicated environments, so be careful and choose wisely.
When in a dedicated environment, you have less to consider in terms of file security, and this is one of the main reasons why we recommend it. File permissions are not as great of a concern because there is not the possibility of other users on the same server getting into your files, regardless of your file permission settings. That doesn't mean that you can disregard file permissions as a security matter, but a dedicated environment does greatly reduce the odds of having uninvited guests shopping around in your files.