Does adding an user to the apache group creates a security hole?

Any permission setting can create a security issue in some environments, if the impact of the permissions are not understood.

Adding a user to a group, will generally not give any special privileges to that group. Files owned by the user will not normally be visible to members on that group, since you are probably not setting that group as the default group for that user.

If the user uses sg or something to create files so that group has access to the file, then any members of that group will to the file. If that person creates some file or directory and grants read-write privileges to that group, then potentially, a bug in the web server or code being served could be exploited to store arbitrary files in that directory, and serve that out.

In some kind of multi-tenant arrangement granting permissions to the apache group may allow a tenant to see data created and owned by another tenant.

In any case, just take some time and use the find command with the -gid option to filed files and directories on your system that belong to that group. That will let you see what you are granting access to, when you add a user to a group.

you would generally run apache as a user with almost no privileges on the system. Typically less than you would give normal users on the system. The user running apache should have write access to almost nowhere, hopefully nowhere other than logging. You presumably added a user to the apache group to give that user additional privileges. are they privileges that the apache server process even needs in the first place? Should these privileges be assigned to some other group with the user is part of instead of the apache group?