Here is my experience, this depends on configuration.
PHP files can be set to 600, so that user can read and write them, and suPHP should take care of setting the user to the website owner. You may want to make sure that owner has been set to the user, as old installations could have an owner like www-data. You could set them 400 also, but may have user support issues with no write permissions and it doesn't greatly improve security.
Other files will generally need permissions like 644 because Apache will be reading them as user www-data which will not be the owner or group for those files. This will also apply to .htaccess and phi.ini. As a default for all files, thus, you probably need 644.
Directory permissions, if you have a home dir with a public_hml in it, the ideal is to set that 700 but some configurations seem to need 711 for apache (and maybe some other tools) to work. Hypothetically, 700 should protect you better than 711 - with 711, files such as a configuration which is set to 644 (a default recommended by Joomla and often applied by web servers for new files) can be read by world if someone can guess the file location - which isn't hard (as maybe you've learned as an admin to many joomla and wp sites). Similar for public_html and other directories, those may need as high as 755. But you should experiment with your own configuration, find the lowest permissions where the websites load, then go back and make sure any tools you support or provide to clients (like CPanel file manager) work properly as well. If you can get the home directory or public_html set to 700, you might test a read across accounts on a configuration.php - I found that my CPanel accounts have 711 home directory and that a 644 configuration.php can be read across user accounts. I see a CPanel discussion about problems with symbolic links that can make it easy to hack across accounts, so the permissions become quite important - one site gets hacked, the whole server is at greater risk than it should be. Someone suggested that setting home dir to 700 will prevent reads anywhere below that directory, but ability to do that seems configuration dependent. But 700 on the home directory might be as close to the holy grail as you can provide, if it works (and that seems configuration dependent).
I'm not really an expert and certainly don't know the range of configurations you might find - but I'm answering because I see this is a 6 week old question that needs a good set of answers. Hopefully you'll get someone with broader server configuration expertise to improve this answer.