By default, PHP does not restrict which files and directories your PHP scripts can access. To restrict the directories that can be accessed, you can use PHP's open_basedir setting.
To set open_basedir for one of your apps, log in to your server as the root user and create the file:
/etc/phpX.Y-sp/fpm-pools.d/APPNAME.d/open_basedir.conf
with the contents:
php_admin_value[open_basedir] = /srv/users/serverpilot/apps/APPNAME/
Then, restart PHP with the following command:
sudo service phpX.Y-fpm-sp restart
Important: PHP's open_based provides limited security. Unless you also disable all shell command execution capabilities of PHP, a script could still access files outside of the open_basedir using shell commands. For more information, see the PHP documentation for open_based.