why still have a case relying on including a file here. Is this something we should also try to change ?

or maybe combiningX-Body-File andX-Body-Eval is an impossible case ? And if we stop using PHP code, wouldn't we break this case that expect to include the file to evaluate it ?

There's no need to change this: the required file cannot come from any user input, and we do validate the name of the file, so that arbitrary file inclusion is not possible.

Well, from my understanding of re-reading this code, thisX-Body-File corresponds to a file written in the cache store. If we stop using PHP to implement the ESI logic, we might need to process the boundaries there instead of evaluating the file.

Do we have functional tests covering the case of a processing of ESI tags alongside a cached response of HttpCache ? Because I suspect that this is the case that is now broken (we would write the cache with boundaries instead of PHP code but read it as if it was PHP code).

instead of putting the boundaries around the content of the returned response, which force the caller to be aware of it to remove it (even if the content has no ESI tag), we might put the boundary in a headerX-Body-Boundary (that the caller can still remove), which might make the removal easier

The caller has to be aware of the content in any cases.
Putting it before+after allows a quick check to ensure it's correct in HttpCache:
if (substr($content, -24) === $boundary = substr($content, 0, 24)) {

This looks like a BC break not suitable in a patch release as projects might use the Esi class directly.

This is a security-related fix, I'd better break existing implems that do that so that they can adjust. (I also doubt this will hit anyone in practice 🤞 )

then the boundary length should at least be a public constant, so that they don't have to hardcode this24 everywhere