Now, I'm not sure what the 'default upload path' is in this case; I'd always use the /volume1/web/ folder for
anything web accessible, and control rights using .htaccess files where needed.
Your method (regarding the DMS script files) should be feasible too, but you can't quite have it both ways as I suspect you're trying to do - if you want an upload folder where you as admin, thru the (letoDMS) web interface, are able to upload files, you simply cannot exclude everyone else from doing the same thing unless this is controlled properly and safely by the script (letoDMS).
Only using .htaccess access control (or methods
completely outside the Apache web server) on the folder can you with some confidence guarantee that unknown/undetected security faults in the script or holes in the Apache setup's security doesn't enable malicious users access to these files. And this
still does not ensure 100% security - if the system itself contains vulnerabilities somewhere else, its still possible that it can be breached. But that is inherent in anything connected to the internet, of course.
So, I'll have to ask you to describe in a little more detail what you are trying to achieve, as I may be misunderstanding exactly what you're trying to do here.
You
can use the path /var/services/letoDATA/ as an upload folder. But you
will need to:
1) Set correct owner and probably also ownergroup of the folder (same as those of any in the /volume1/web/ folder, basically, or whatever the Apache needs as a minimum);
2) Set correct rights for the folder - here I'm not entirely sure, but I think you at the very least have to set it to 660, if not 666. Execute shouldn't be needed, and it's way safer without, given that the folder shouldn't contain
executable script files? That would be the safe bet;
3) Set the folder to be included in the PHP open_basedir var, as it won't ever be accessible to PHP without this (or other setup changes).
But obviously, given the above settings, that folder won't really be any more safe than those under the 'web' folder, from the webserver point of view.
Tight .htaccess control of what/who can access the folder is a far safer approach in this case.
It does, however, leave the folder outside the loop with regards to the rest of the Synology DSM, ofcourse. So if that's part of the point, your way can work.