The principles in that article apply also to mojoPortal code and included features, the web app itself should NOT be able to write to the folders where code is allowed to execute, otherwise all someone has to do is find a way to upload an executable file such as a .aspx page with malicious code and they can own your site. Thats is why we want only the /Data and /App_Data folders to be writable and we also want to mark those folders as not executable so that even if someone managed to upload a malicious .aspx file it would not run from the folder where they can upload.
And its no different with php, if a person who was not intended to be able to, managed to upload a malicious php file they can own a php site too if its uploaded to a folder that allows script execution, this is just basic web security. Some developers don't give enough thought to security and they choose to make things convenient at the expense of security. When I see a web app that can upgrade itself its a red flag to me.