Connect with FTP and put a file like test.html with 'hello' in it in the highest directory you can access, you've said it's / . Open a browser and go to yourdomain.com/test.html If you can see 'hello' your document root is web accessible. This would mean your document rot is your web root and your host need to give higher level access to you. As nogdog says there is usually a www or public_html folder. That is the web root normally. If you create folder next to the web root, they are not in the web root so are not web browseable. If you don't have a document root above you web root contact your host because you should have. If they wont give you that change hosts. It could be an indication of their lack of ability or they simple don't care. It's a pretty big red flag.
There is a program called cURL that is part of PHP that allows anyone to POST to anywhere. It's incredibly handy but allows anyone to post files to anywhere too. You might think you've only given access to trusted people but you can't be sure someone isn't attacking your server and posting executable file to the upload forms action address. If an attacker uploads an executable file to a non web root folder they cant access it to execute it.
To be somewhat secure you need to upload to a non web browseable folder, as your book suggests, and only restrict the files that are uploaded based on their extension, not their mime type.