Zend Framework is using that technique, which makes the entire application safe from outputting sensitive PHP code as plain text since everything is outside the document root, and using mod_redirect to know what module/controller/action to dispatch to.

A basic project layout looks something like

application
- controllers
- views
- - scripts
public
- .htaccess 
- index.php
library
- Zend

and having ../library in your include path let’s you autoload all Zend classes (i.g. Zend_View) easily from anywhere in the application. Naturally, Zend also comes with class autoloaders for view helpers and other custom class prefixes, but this is beside the question scope.

Since everything is outside the document root (/public), the only script a user could see (in case something goes wrong and users start to see exposed PHP code) is a call to the application bootstrap and other initialization lines (i.g. include paths and and some constants, but you could also have all these initialized by including another external file…).

In short, yes it is a good idea, and a good practice, to put the core classes outside the document root. All you need, then, is to add the path to your shared library in the include path list with something like :

set_include_path(implode(PATH_SEPARATOR, array(
    LIBRARY_PATH,
    get_include_path(),
)));

where LIBRARY_PATH is the relative or absolute path to your shared library.

Be aware, however, that more paths you add, the slower autoloading classes will be. It is good practice to only have about 3 paths in there or less. Take a look at how Zend managed to get around this with their autoloaders.