Apache/PHP Correct permissions for uploading a binary that runs server side?

Question

I've prepared a PHP browser interface (like a modem interface) for an embedded system, that is supposed to help manage the core application (uploading a new binary or AppImage) and its configurations (altering contents of text files).

All great during development, because I'm running PHP server from terminal, as the same user that runs the core software. However, on actual machine, this browser interface will be provided by Apache, so its user will be www-data and the core software needs to be run by the user let's say kiwi.

So my question is, how can I handle the permissions correctly so that there's no security issue like adding user www-data to group kiwi (as far as i'm concerned, this is a security issue)?