Drupal - Why is settings.php in the web folder?

You are absolutely correct. I know for a fact that many developers/sysadmins do not take the risk that the PHP interpreter might fail at some point, and include the db password (and other sensitive data like API keys) from a file outside the webserver's docroot.

I'm surprised that this is not documented as a best practice anywhere - at least I couldn't find it on drupal.org either. I have no information why it works the way it does.