As a PHP development firm, we have learned the lessons the hard way of having the .env, README.md, composer.json, composer.lock, and more development-only files in the public accessible folder. A PHP framework we admire is Laravel and their use of the /public folder to separate development-only stored in the root from publicly accessible files (see Directory Structure - Laravel - The PHP Framework For Web Artisans).
We were surprised upon our first install of Mautic to see that development-only files like the .env with sensitive information is located in the same folder as the public files. Ideally, we would prefer to see the public files like index.php and more located in a /public folder as so to take an extra step to restrict access to the sensitive development-only files. This allows us as developers to have the .env, README.md, composer.json, and more outside the access of the public.
Are there plans to follow the Laravel approach and have sensitive development-only files in the root folder like they currently are with Mautic now and to add a /public folder for the publicly accessible files like index.php to add an extra layer of security?