Eric, you nailed the problem down precisely.
Unfortunately while digging through the core source code it develops that getting the document root out of the core data structures is not a 100% reliable solution. Comments associated with the document root entries specifically state that If the URI has been internally rewritten to use a filename that is permitted but out of the server root, then the data in those entries does not apply to the specific request. This was all prompted by an issue in mod_nsf. The incoming URL was of the form http://www.server.com/index.html/wp-includes/wlwmanifest.xml but mod_nsf found r->filename to contain /www/server-root/index.html instead of (what I would consider to be correct) /www/server-root/index.html/wp-includes/wlwmanifest.xml which caused mod_nsf to say "Yes, the file's there, request is OK" instead of "Crafty, but still no such file, put 'em on the ban list." I'll need to think on this a bit more before going back to it.
