It is common practice in UNIX and FreeBSD to drop the privileges of an Internet server to the lowest possible user/group on the system. In the case of Apache, it's usually nobody or www. The simple reasoning behind this is that when an Internet server is compromised and an attacker enters the host system as the user or group that that server (i.e. Apache) runs as, it has almost no privileges on the host system. So the attacker ends up in a very limited environment, without a shell, without privileges, let alone elevated privileges (like su rights). This means that there is no further danger posed by that particular attacker. You'll find that most Internet servers, ranging from Sendmail to Postfix to Dovecot to BIND to $(etc. etc.) all run under unprivileged user/group accounts as soon as they're started. They're started by the root user (to be able to grab a port below 1000), and drop to unprivileged user/group accounts immediately thereafter.
