in this case is a security risk to ?.....
Yes. This does not depend on the controlpanel. If OpenBasedir is off, a PHP script may access the whole server. For example:
$lines = file('/etc/passwd');
would output you a list of all users that are on the server, if openbasedir is not enabled as the passwd file is world readable.