The title storages use '/' as fall-back directory when instance is created and a path configured for storage does not exist in the FS.
This exposes the whole fs for such users what is not a desired behaviour, and can be considered a security threat.
The desired solution is not to create such storages. E.g. if user mapped to xlogin 'nobody' has no home directory then Home storage should not be created for her. Same for VARIABLE.
Fixing this bug this way, will also allow for providing a storage for selected users only, what is useful on its own.