It appears to me to just be a problem of muddy definitions. With the following:
webserver: the OS environment/filesystem/etc
off-site: not via HTTP
it should make more sense (as it seems you agree). It's not clear that even access control could help however if a "plugin" is some kind of interpreted script, using the same interpreter (executing in the context of Apache via mod_php.so) that would be accessing wp-config.php normally. Control over the interpreter is pretty much game over.