I don't quite understand here but here's my two cents.
1. *.php code can't be viewed in any browser, instead it shows the output of the code if there's any, shows any errors/warnings, or it will only a blank screen. Correct me if I'm wrong with this and please let me know if there's a way that I can view a PHP code in a browser.
2. If they knew the path where it's installed, it's only the path. They will not know the login credentials except for the username. The username is known because it gets from the domain name. For example, if I have a domain that is example.com, for sure the username is "example" because it did not exceed 8 chars.
3. You can set permission to each files under your account even if it's a shared account.
4. The warning messages is by default TURNED ON.
5. What's your basis when you say "So they have everything they need to login to
DreamHost.com/r.cgi?84605" target="_blank" rel="nofollow">
DreamHost"?