>> Don't their directories have to be under /www
That's why as I said for vhost environment, set suexec-docroot=/www option in /usr/ports/www/apache13/Makefile.
You were talking about user environment, that's for userdir configuration and setting --suexec-userdir=public_html should do just fine for that. Keep in mind, they are different thing.
Here is how the directory layout might look like under vhost environment:
/www - root:wheel - 755 (drwxr-xr-x)
/www/htdocs - root:www - 2750 (drwxr-s---)
/www/icons - root:www - 2750 (drwxr-s---)
/www/cgi-bin - root:www - 750 (drwxr-x---)
/www/vhosts - root:www - 755 (drwxr-xr-x)
/www/vhosts/vhost1.com - vhost1:www - 750 (drwxr-x---)
/www/vhosts/vhost1.com/htdocs - vhost1:www - 2750 (drwxr-s---)
/www/vhosts/vhost1.com/cgi-bin - vhost1:www - 750 (drwxr-x---)
/www/vhosts/vhost1.com/cgi-bin/script.cgi - vhost1:vhost1 - 700 (-rwx------)
/www/vhosts/vhost1.com/private - vhost1:vhost1 - 700 (drwx------)
/www/vhosts/vhost1.com/private/passwd.txt - vhost1:vhost1 - 600 (-rw-------)
Create another vhost (vhost2.com) respectively under /www/vhosts/.
In this setup, nobody except root and user vhost1 can cd to your private directory. As you can see, passwd.txt has 600 permission, thus, nobody execpt vhost1 and root can read+write to it. Well, actually other users can't even cd to your private directory because they don't have search access and unable to stat files within it.
Now let's take a look cgi-bin directory. It has 750 permission owned by vhost1 and grouped by www but deny all others seach access.
Why give www search access?
Because the user Apache runs as (www) needs to stat your script (locate the script), but not necessarily read or write it. To have search access, hint, one needs READ + Exec. To have Exec access, vhost needs READ + Exec, hint, you can't exec it if you can't even READ it. That said, your script.cgi with 700 permission is the appropriate permission in suEXEC environment. Technically, you can even chmod your script to be 500 (-r-x------) if you don't plan on editing it in the future.
The htdocs directory with 2750 permission (drwxr-s---), note the s with sticky-bit set, so that the same group is preserved when creating files or uploading files via FTP into your htdocs directory.
So what's the permission for /www/vhosts/vhost1/htdocs/index.html?
That's 640 (-rw-r--). User www just need READ access and that's all. Yes, www can read it but vhost2 can't.
Here is another issue I addressed in my other post, let me post it here again in case you missed it.
User vhost2's CGI scripts run as vhost2, not www, therefore, vhost2 has no access to your CGI scripts. If he writes a CGI script to open your index.html for reading, he can't either, because his script will run as vhost2. In mod_php, however, will be execute as www user, so it's possible for vhost2 to write a script.php and browse your cgi-bin directory, but still unable to READ your script.cgi.
The $HOME for vhost1 should be set to /www/vhosts/vhost1.com in this case.
This starts getting off-topic. If you have further questions, please start a new thread in Apache forum.