By uploading it to the "backdoor" folder, the alleged attacker will be able to run any scripts on behalf of the web server. Well, or on behalf of php-fpm, for example. Shell scripts will run under the same name. Therefore, "getting root" is not possible by default.
The presence of chroot in ftp, in its essence, destroys the described problem in the bud.
BUT! All of the above is true in the absence of an exploit of critical kernel vulnerabilities. Therefore, if there are current security updates.