Fiel permissions - how much can I lock down my app's files?

Sorry for the cross-post. Having give it some additional thought, I
realize now I should have posted this here first ;-p

I want to lock down my site as much as possible and would like to set
the file permissions as restrictively as possible.

Is there any reason that any file used by my app but not in the /public
directory or subdirectories needs or should have Read, Write, or eXecute
for Public permissions?

How much can I lock down the Group permissions? Or does that depend on
the hosting service?