Typically, there is only one password you actually need to know, which is the client area password. Every hosting account also has its own password, which is used for FTP and MySQL.
The most suitable article I can think of is this one:
Just “backing out” of a website directory should not be possible. All common web servers have security protections built-in by default, as there is basically no situation where you would want people to be able to navigate to arbitrary directories on the server. And if you do, then you can still configure that explicitly.
CHMOD is basically disabled on our hosting. In the 8+ year I have used this platform I cannot recall a single case where it has helped someone, and numerous cases where people messed up the permissions and corrupted their account.