I am developing a PHP application that uses SQLite as database management system, MySQL and PostgreSQL etc. is not an alternative (although I would really like to use pgsql), because I want the setup to be very beginner-friendly and zero-headache alike. Now many people use a shared hosting, and alot of them only offer direct FTP access to the htdocs-directory, but not above that. That means the customers would have to put the SQLite-Database-File inside their htdocs, meaning that it is accessible to the world and anyone can download it.
What is the best way to give the customer some kind of protection from that, that is simple and also supported on all HTTP servers?
You can use a .htaccess file and lock down the database name so it's not externally accessible. Many servers will already do this for all filenames starting with a ".". This will work on Apache of course, but you'll still need fixes for other web servers.
Your best bet is to really set it up such that it can be hosted above htdocs. Maybe you can use an installation script that checks the document root and moves the sqlite file to a higher directory if possible.
Unfortunately, because sqlite is read and written to by the same user as the web server, there's no easy way to lock it down from external access. Hiding it and moving it are the only real solutions I can think of.