They mean for you to set that value to a directory that is not reachable from the web, though you could also set that directory's permissions in such a way that only your user can read it (since PHP-CGI and perl both run as your user under suexec).
You do not have to create a new, or another, user to do this. In fact, you probably don't want to do that because of the way scripts are run under suexec, as mentioned above.
The way I do this is to make a subdirectory in my user directory (the same directory that my domain's web directory is in, and use the path to that.
/home/myuser <--- my user directory
/home/myuser/mydomain.tld <--- my domain's "web" directory
/home/myuser/ubr_temp <--- the directory used for $TEMP_DIR value in 'ubr_upload.pl' AND 'ubr_ini.php'.
This keeps the directory "non-public" to the web, which is what the instructions advise you to do.