I identified the cause, it is #14866 which broke PIWIK_DOCUMENT_ROOT being a shared, read-only directory and PIWIK_USER_PATH being the directory to relocate writable config and tmp to.

See the documentation for PIWIK_USER_PATH:

PIWIK_USER_PATH – override the default to relocate config and tmp files outside the web document root. This facilitates a “best practice” of preventing direct access to php files. It is also useful with shared hosting to separate shared code from user/account-specific configuration. The default is the same as PIWIK_DOCUMENT_ROOT. Note: open_basedir() restrictions may apply

A case where this was previously broken: #11654
A team member's comment explaining the constant's indended use: #1453 (comment)

EDIT: wrongly copied the docs for PIWIK_INCLUDE_PATH. PIWIK_INCLUDE_PATH is unrelated, this is all about PIWIK_DOCUMENT_ROOT and PIWIK_USER_PATH.

@florianjacob could you maybe explain what the issue is with PIWIK_USER_PATH? I'm not quite understanding the problem from above comment and also why you mention PIWIK_INCLUDE_PATH etc?

PIWIK_USER_PATH: There you should have basically your config.ini.php in there. Is this a problem when you install it headless maybe or so? And how / where do you define PIWIK_USER_PATH and when?

I'm sorry for not being able to bring the issue across, I'll try again to explain what we're doing with more context:

We maintain the matomo package for the NixOS Linux distribution.
The package installs the contents of the matomo release zip files to /usr/lib/matomo and uses that as PIWIK_DOCUMENT_ROOT. This distribution though enforces a strict policy of /usr/ being read-only. Everything that is variable, like Matomo's config.ini.php and tmp has to go to /var/lib/matomo. The idea is that the files in PIWIK_DOCUMENT_ROOT = /usr/lib/matomo can be shared read-only between multiple Matomo instances. While having shared package files in a read-only /usr is good practice, other distributions don't enforce this, and either allow to install the matomo files to /var, or allow to have writable files in /usr.

With Matomo 3.11 and below, we separated the read-only files that come with the package and the read-write files that are created or modified at runtime by having a bootstrap.php in /usr/lib/matomo, i.e. the PIWIK_DOCUMENT_ROOT, that sets PIWIK_USER_PATH to /var/lib/matomo. Matomo upgrades are handled by the operating system, so Matomo did not require write access to its PIWIK_DOCUMENT_ROOT. Everything worked out.

#14866 changed the behaviour of PIWIK_USER_PATH that it doesn't move all read-write files and folders from PIWIK_DOCUMENT_ROOT anymore, i.e. it tries to write to ${PIWIK_DOCUMENT_ROOT}/tmp (and config/global.php & config/global.ini.php? I'm not sure if those files are written if matomo upgrades are handled by the operating system and not matomo itself).

I hope this comprehensible, thanks for your patience.

(For NixOS-proficient readers: With /usr/lib/matomo I mean /nix/store, but the NixOS specifics don't matter here)

I understand now. I didn't understand why config be an issue but now it's clear that only tmp is an issue. The solution be to change this line back: https://github.com/matomo-org/matomo/pull/14866/files#diff-56421c8d6bc21777119c147c3c6aa589R11 to 'path.root' => PIWIK_USER_PATH,. I'm not sure this worked before by intention as path.root did not quite sound like it should be user related. I'll have a think and create a PR

Create a PR. Here's the diff https://github.com/matomo-org/matomo/pull/15106/files