Local/Remote File Inclusion is a serious vulnerability. Best practice to protect against it is to set in php.ini:
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html
Clearly, whitelist based validation on user input is important as well, but developers make mistakes and defense in depth is key.
Even with the settings above, the exploit php://filter/convert.base64-encode/resource=index.php still works.
Is there any way to disable php://filter globally or on a per PHP basis?