The expectation of Command::whitelistPaths() is that you pass just the files you want, and everything else is invisible inside the firejail. The problem is that this behavior really depends on how MediaWiki is set up, and where it is set up.
$ man firejail ... --whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount- binded inside. Modifications to whitelisted files are persis‐ tent, everything else is discarded when the sandbox is closed. The top directory could be user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
When firejail gets --whitelist=/srv/mediawiki/core/includes/shell/limit.sh, it will hide everything in /srv except for the whitelisted file. Except it leaves anything outside of /srv fully accessible.
Consider the file structure of the Debian package, MediaWiki is in /usr/share/mediawiki, so all of that will get hidden, but /etc/mediawiki/LocalSettings.php with your database password will be fully visible (mitigated by T182484).
Note that firejail prevents you from shooting yourself in the foot, so if you try --whitelist=/usr/share/mediawiki/..., it will make sure that /usr/bin/, /usr/lib , etc. are still available (it only hides /usr/share). But that means that if you are shelling out to something that depends upon fonts (texvc, lilypond, ...), which are located in /usr/share/fonts/... you're out of luck.