When I set

include_path = ".:/usr/share/php"

to access shared libraries and

safe_mode = On

is set, users cannot use files in /usr/share/php, just because there're userid check in main/fopen_wrappers.c. It means in safe mode you can include files with the same owner userid only, as the controlling file (eg. which contains that include or require).

My opinion: checks, mandatory blockings and security enhancements should be distinguished via a new entry in php.ini.

Excerpt of my previous mail:

Check/block summary

env.var block:
  - AUTHORIZATION (only in apache SAPI)
function block:
  - dl
  - set_time_limit
function restrictions:
  - safe_mode_allowed_env_vars
  - safe_mode_protected_env_vars
privileges
  - sanity checks
    mkdir, rmdir, rename, unlink, copy, chkgrp, chown, chmod, touch,
    symlink, link, mkfifo, pg_loimport, filepro, filepro_rowcount,
    filepro_retrieve, dbase_open, dbase_create, dbmopen
  - special access permissions block
    chmod
  - userid checks
    fopen

Conclusion

Some things are must-have in safe_mode, but I would put an own flag for each type (well, the privilege sanity checks don't do any bad, so this type doesn't need another flag).