Re: the unauthenticated RCE (CVE-2025-11344), am I to understand that Apache will read and honour any .htaccess file it finds, even outside of the config root path? The lack of file clean-up when handling the exception is one thing... but this .htaccess logic strikes me as a bizarre default (if true).

Yes, Apache reads and honors .htaccess at every directory level for every request. 'twas how we did things before nginx with its pesky, centrally-sanctioned configuration that you had to manually reload.