The sites/default/files directory contains a .htaccess file that contains security measures. However, this file can be overridden in subdirectories, introducing security vulnerabilities without notification by Drupal of the potential issue. Core already scans for .htaccess files at one layer but not at the next layer(s) down. Why have the status page throw a flag when the htaccess files at the various file roots are wrong but ignore if they are reversed the next layer down?
Make the system stronger at preventing attacks by adding a warning about .htaccess files in subdirectories or having non-standard content in the public://.htaccess.
First step is to determine whether an improved scan and alert is something that should be included in core or in the Security Review module.
Applies to D8 and D7.
Reported by acrosman.