Currently the standalone installation assumes that the root civicrm directory is inside the docroot of the web server. However, web app security best practices dictate that you minimize the amount of code placed into the docroot (makes the potential attack footprint smaller).
In the past I have setup standalone installations that put only the civicrm/standalone directory inside the docroot. You then have to symlink the css, i, js, packages, and api directories into standalone. With the new installer, you also have to symlink CRM, install, README.txt, and possibly others. These symlinks negate the whole purpose of the restricted docroot.
We should redesign the standalone installer to minimize the amount of the system (especially code) that is exposed in the docroot of the web server.