Matomo couldn't write to some directories

I have just installed Matomo and am now trying to make my installation secure. During the self test, the system reports this error message as shown in the subject, but I disagree with the recommended way to deal with the situation. So I would like to know where Matomo needs to write to exactly, and what happens if it can’t. Because, generally speaking, I am absolutely not in favour of letting web applications write executable code to the file system, and want to keep permissions as tight as possible. The ‘tmp’ directory, which I would prefer to place elsewhere, outside of this tree, is already owned by the web server and writable. FWIW, I would also like to do the entire management, including any plugins, from the command line and not from the web UI, but somehow didn’t yet find out, how.

Any help is much appreciated!