Here is my experience, this depends on configuration.
PHP files can be set to 600, so that user can read and write them, and suPHP should take care of setting the user to the website owner. You may want to make sure that owner has been set to the user, as old installations could have an owner like www-data. You could set them 400 also, but may have user support issues with no write permissions and it doesn't greatly improve security.
Other files will generally need permissions like 644 because Apache will be reading them as user www-data which will not be the owner or group for those files. This will also apply to .htaccess and phi.ini. As a default for all files, thus, you probably need 644.
Directory permissions, if you have a home dir with a public_hml in it, the ideal is to set that 700 but some configurations seem to need 711 for apache (and maybe some other tools) to work. Hypothetically, 700 should protect you better than 711 - with 711, files such as a configuration which is set to 644 (a default recommended by Joomla and often applied by web servers for new files) can be read by world if someone can guess the file location - which isn't hard (as maybe you've learned as an admin to many joomla and wp sites). Similar for public_html and other directories, those may need as high as 755. But you should experiment with your own configuration, find the lowest permissions where the websites load, then go back and make sure any tools you support or provide to clients (like CPanel file manager) work properly as well. If you can get the home directory or public_html set to 700, you might test a read across accounts on a configuration.php - I found that my CPanel accounts have 711 home directory and that a 644 configuration.php can be read across user accounts. I see a CPanel discussion about problems with symbolic links that can make it easy to hack across accounts, so the permissions become quite important - one site gets hacked, the whole server is at greater risk than it should be. Someone suggested that setting home dir to 700 will prevent reads anywhere below that directory, but ability to do that seems configuration dependent. But 700 on the home directory might be as close to the holy grail as you can provide, if it works (and that seems configuration dependent).
I'm not really an expert and certainly don't know the range of configurations you might find - but I'm answering because I see this is a 6 week old question that needs a good set of answers. Hopefully you'll get someone with broader server configuration expertise to improve this answer.
Best Answer
It depends on the ownership of the file/directory. Just remember, PHP under suPHP will access PHP scripts as the owner user, and those PHP scripts will operate as that user, meaning, everything they read or write is done as that user. So, PHP scripts only need to be owner-readable to run.
However, anything else not being a PHP script is accessed as the Apache user (they are not accessed by suPHP), meaning that user need at least read access to the files and read+execute access to directories. If those files are owned by a common user, they will need to be world-readable (and world-executable for directories). But if they are owned by the web server user (nobody, www-data, apache, depending on distro) they only need to be owner-readable/owner-executable.
A note for directories: Apache (when serving non-PHP files) will try to read every directory in the path searching for .htaccess files, if it cannot explore the directories, it will fail with a 403 error, even if the file is readable.
So, I think for most websites or web applications all files (PHP files and non-PHP files, and directories) would be owned by a single user, so the permissions would be:
Another note: even if you set 0400 for a PHP script, it can be modified by another PHP script owned by the same user, as it can simply run chmod from PHP, so a 0400 is not safer than 0644. This apply only when using suPHP.