Text editors create temporary or ".bak" files, version control systems create "hidden" directories and files. SQL backups are left littering the filesystem, translations, you name it. Database credentials and other sensitive information can be exposed this way. We see this issue cropping up again and again; you may refer to the discussions at #1907704: Restrict temporary files created by text editors and #581706: Protect .git, .hg and .bzr directories in .htaccess for more background. Let's aim to solve the larger problem.
Blacklist solutions such as
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\.git.*|\.hg.*|\.bzr.*|\.svn.*|\.cvs.*|Entries.*|Repository|Root|Tag|Template)$">
in .htaccess have been proposed. However, we should be using a whitelist.
Is .htaccess the best way to implement this? Maybe not. In any case, a whitelist makes more sense.