This is not a full solution yet for this issue but it may improve things for the next patch release by detecting redirects a bit better for the config file.
Added FAQ with more information: https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ as users currently wouldn't know what to do. It's far from perfect but we can tweak it over time and provides more information for now.
Also now blocking
.git directory automatically if it exists. Would be otherwise complicated to explain how to do it. Not sure why we didn't do it earlier.
Also added new command
core:create-security-files to create these files automatically if Matomo does not have the permissions to do it automatically (see the FAQ). Initially, I had added the creation of these files to the
diagnostics:run command (or when you open system report) but this would have caused issues as they would have potentially never noticed that they need to create these files after every update etc (because the security files would be created when viewing the system report but it would not show there was a problem between updating Matomo and viewing the report :-) ). Using this command it makes it easier for users to tell them in the guide how they can fix the issue.
I will leave a comment about this in the issue what needs further tweaking.
@tsteur it looks like this includes some extra commits from another PR, is that right?