As an outcome of #1914018: Configuration files under security risk I found that web.config is not protecting the folders sites\default\files\config_*.
We may also need to review the match filters of .htaccess in the root folder of Drupal if we need to do something there or not.