I used apache instead of root, and everything seems to work.
Does that seem reasonable in an effort to minimize possible escalations?
You seem to ahve used wrong settings for your site as there are no changes of the website owners etc. nescessary, neither to get joomla working nor for security. The correct settings for a joomla site are:
1) Select security level "High" in ISPConfig under System > server Config on the web tab.
2) In the website settings, enable the suexec checkbox and select "php-fcgi" as php method.
This ensures that all scripts are run in a security wrapper under the website user.
Do not use mod_php. Also useing user "apache" is a security risk as this allows attacks from other sites on the same server.