PHP's magic constants allow you access information such as the current PHP file being executed, the name of the current function, etc.
While this data is not user input directly, it can definitely be influenced by user input (eg: by visiting a specific path to influence __dir__ and __file__, etc), however in most cases, it is not possible for remote user input to accurately influence these variables.
For example, if you were to visit example.com/<script>window.alert("XSS");</script>, this would not result in the __file__ variable on that server containing malicious JavaScript. Instead, it would contain the path of your 404 ErrorDocument (assuming that XSS example wasn't an actual path on your server).
What other ways are there that malicious data could get into these variables?
Are there any other security considerations that I have missed related to PHP magic constants?
For context, this is about an Apache server serving static PHP pages, there is no additional user input on the site (eg: forms, file uploads, cookies, etc).
There's no security risks. Those constants pull from server data (i.e. your PHP file path). Those cannot be controlled by an end user.