I'm just wondering if there is a way to put them outside the DOCUMENT_ROOT.

Depends on what "them" is. Your database is certainly outside the document root. Your images may be as well, but doing this is not for the feint of heart. You can change the settings in your zp-config.php file for the albums folder. But you must be aware that many things, such as flash players, will not work if the images are not in the document root.

In the headline I asked about the safety of the [b]access data[/b] for the MySQL database and referred to them in my question.

So I'll put it in another way:
How safe are the access data for the MySQL database, which are stored in /zenphotp/zp-core/zp-config.php?
Is there a way to store the access data for the MySQL database outside the DOCUMENT_ROOT?

That would, of course, depend on your server and its security. These are just files and will follow the file security that is setup on the server.

There is no way to store this data outside the document root.