According to the /projects/security-review module:
"It is dangerous to allow the web server to write to files inside the document root of your server."
My suggestion is to place the cache folder in the same directory as the files folder - and it should be hidden, so that there's no more warning by the security-review module:
Boost directories and file extensions -> Cache Dir:
This resolved all the warnings of the security-review module.