https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/
Like others I had the problem of this message not getting fixed by running "core:create-security-files". Turns out, the domain in Apache was not configured to "AllowOverride All" which is needed for .htaccess to work.
A note should be added here that users should check this.
btw: When I tried to post the above text as a feedback on that page, I got blocked by WAF:
Forbidden
Request was blocked by WAF.
Request ID: 50562432-e4ff-44e5-97a6-9f4891e6376c
Thanks for this @larsen0815 . Very appreciated. I've added this to the FAQ.
Regarding the WAF: Do you remember when you tried to post this? I couldn't find this request ID in the logs so far.
WAF: Right before I created this issue. Tried it twice within ~2 minutes.