Thanks for your answer, however it is not really what I meant.
I didn't mean that LSWS should take over the UID/GID of the file it executes, that would be a bad idea anyway, but perhaps there should be an option to have LSWS refuse to execute a file if its UID/GID does not match the UID/GID specified in the vhost configuration.
We had the case just last week on a shared hosting server. Customer X had a world-writable directory. A "hacker" attacked the website of customer Y, found the world-writable directory in X's website and wrote a file there. That file was thus owned by Y, under X's website.
The "hacker" proceeded by surfing to the file on X's website, thereby executing it with X's user and defacing X's website as well.
Of course, it is X's fault for having a world-writable directory, but this could have been prevented if LSWS had refused to execute Y's file with X's permissions.