Chroot is by default on, but that doesn't prevent such account from read access.
I don't expect anything, I just pointed out that there is problem which can be possibly fixed by reworking cpanel import scripts, or simple warning displayed about possible security threat.
I'm very happy so far with CWP, guys behind it must be supported financially and paying for CWP Pro license is least of what any of us should do.
So your expectation is for CWP to scan all files from a backup generated on a different system and fix security flaws. That's unreasonable. IMHO.
IF, however all services, such as FTP are run in a chroot environment then it becomes a moot point i.e. restricted access by design.