How to hide configuration files


I have inherited a Grav project.
Many files under the /user/config folder (security.yaml, for example) and the /user/accounts.yaml folder are public. That is, any user that knows the right path can access these files on our production server.

Is this expected behaviour? Or did the previous admin make a mistake during configuration?
If this isn’t expected, how can I make these pages “private”? I don’t think they should be exposed publicly.