How to make upload folder private

I need to have a secure folder for my users to upload images to. My understanding so far is that I need a private folder outside my root in order to secure the files (among other safeguards), otherwise anything could be uploaded inside the root's folders.

I use a web host that has a shared host server running apache, remote from me. I have no access to the host except through ftp and ssh.

Here is the folder structure where [sc] = shortcut symbol:

root
/.config
/.logs
/[sc]public_html (points to /web)
/[sc]my web site name without the .com (points to root)
/web
:
/web/my web site folders

Select allOpen in new window

Apparently, most hosts allow access outside the root for private folders, this being more secure than inside the root.
Incidentally, my web app is in PHP/MySql, and images that I intend to have users provide will be .jpg, .png, and .gif. These images would be stored in the private folder and pointed to by db entries, since storing the images would use too much db space.

So, does this mean I do not have access to a private folder?
And what server-based process would be needed to stream the image?

So if I had a private folder where uploads landed, then I could test the uploaded file, and if it passed, then have PHP read the file and write it to one of my web folders?

Let's see if I understand this correctly.
If I had a private folder where uploads landed, then I could test the uploaded file, and if it passed according to my standards,  my PHP script could read the file and write it to one of my web folders, then insert the address and filename into the db? LIkewise, if the user wanted to update the image, except it would be a db update.

1. So, I take it that from the folder structure above, that I do not have a private folder (even though it shows 'public_html')?

2. If 1. is true, then the issue is, firstly, whether I can get a private folder, and secondly, what process I can discover that will allow a move from that private folder to the public folder. Right?

... Hold it: I just read this: "The public_html folder is the web root for your primary domain name. This means that public_html is the folder where you put all website files which you want to appear when someone types your main domain (the one you provided when you signed up for hosting)."  When you talk about 'root', are you talking 'web root' or the one that has the web root as one of it's folders? And if the root we are discussing is web root, then surely I can create a private folder above 'web'?

I can create/assign chmod via ftp or ssh.

I selected my own comment as the solution since the expert advice needed me to do more work in determining that a private folder could be created outside the /web folder which turned out to be the web root. Consequently, the solution was to handle upload data and files through a script in the web folder which has access to the private folders while users may not.

Thanks arnold. Your help is much appreciated.