I checked it here on a clean ISPConfoig 18.104.22.168 install and I was not able to enter / as path for a FTP user when I'am logged in as a client.
My guess is that he was logged in as administrator and not as client or he used the remote api which allows path overriding as well as it runs with admin priveliges. A administrator has and shall have the right to override paths for FTP users to anything he wants. ISPConfig just ensures that when a client or reseller is editing a FTP path, that the path has to be inside the web in this case.
Please add detailed steps to your bugreport how you were able to change the path to / after you logged in as client (not admin).
Btw. If you thought that this was a critical bug, you should have contacted us (the ISPConfig developers and maintainers) first and ask them for a verification.