1. Improve the security of a Drupal install by keeping all files private, except for an index.php, no module or include files should be accessible from a web browser
This will not increase security. If .htaccess can not protect you, why would this? And how would we ship the tarball...? Untar this half below documentroot and index.php to documentroot...? /me shakes head
2. Core modules and includes should be completely seperated from extra downloaded modules and themes. This should make backing up things easier, as you only have to back up your "custom" folder instead of all of the main Drupal ones
Sure thing, use site/default/modules and site/default/themes for your own modules and themes. No need to change core.
3. The new structure should be multisite friendly. There should *not* be one files folder, but rather multiple ones, for multiple sites. You don't want that pr0n site on your multsite sharing the same images as your core business website, do you? ;-)
Opsie, what I suggested is multisite.
Please add/revise to this so we can reach a consensus on this soon enough.
You need to convince me that the current is not good. I tell you, this is not easy. Regards NK