Folder Purposes
The folders for which installation suggests read-write access for setup are these. If your site supports .htaccess protection, then you should use it for these folders.
/cache
This is used to cache session and database information. The BEST security protection for this is to move it to a folder "above" the public_html/htdocs/www area, so that it's not accessible via a browser. (Requires changes to DIR_FS_SQL_CACHE setting in configure.php files as well as Admin > Configuration > Sessions > Session Directory.
/images
This is discussed earlier in this article.
/includes/languages/english/html_includes
This is discussed earlier in this article.
/media
This is only suggested read-write for the sake of being able to upload music-product media files via the admin. Could be done by FTP as an alternative.
/pub
This is used on Linux/Unix hosts to have downloadable products made available to customers via a secure delivery method which doesn't disclose the 'real' location of files/data on your server (so that people can't share a URL and have their friends steal downloads from your site)
/admin/backups
This is used by automated backup routines to store database backups. Optional.
/admin/images/graphs
This is used by the Admin > Tools > Banner Manager for updating/displaying bar graphs related to banner usage. If not writable, this feature is ignored.