Quite simply, yes. Unlike WordPress, however, Moodle stores its installation in the root, but also stores data outside the root, where it is not accessible via the web.
You really do need ftp access to install Moodle and non-core components (additional assignment types, modules, etc.). You can also install and upgrade Moodle via the command line, which is also a [em]lot[/em] faster that ftp. But either way, you need that backend access. But really, they just need to trust that you aren't going to go in and mess things up. Placing Moodle in a subdirectory would allow you to grant access to a different ftp user account, which you would only need to use for initial install and setup. That way, if you were using your regular ftp user account, even if you did something accidentally, you couldn't mess up the Moodle install, since you wouldn't have access to it under your regular ftp user account. I hope that makes sense to you.