Ok, this makes sense - but then the production system you describe above was not something you have tested (including the use of Studio, Module Builder, etc, things that write out new PHP code).
I agree that if extra access is limited for some dirs, it should be limited to those dirs and not others. That was kind of the approach for v7, where this was recommended:
sudo chown -R www-data:www-data .
sudo chmod -R 755 .
sudo chmod -R 775 cache custom modules themes data upload
sudo chmod 775 config_override.php 2>/dev/null
There you see the extra permissions for some directories. Although the advice is not very consistent unless more things are explained regarding owners and group memberships.
For v8 I guess they gave up on this level of detail. Those dirs still exist (although under public/legacy) and they still need write access.
So I still prefer to give my accesses through the Group digit, and add my user to the www-data group, and leave the world digit at 0. But I do agree with you that it would make sense to set things differently for only some dirs.
It would actually be a good idea to jointly come up with some sort of “best practices” recommendations for this. Hopefully, something that is straight-forward for clueless sysadmins, since SuiteCRM has a lot of those (comes with the territory of being a powerful free software).