In security a common (and good) approach is to deny all access to a resource and specify what can access it specifically. Often this is done the other way around; allowing access to everything and specifyng what is not allowed.
As described in http://drupal.org/node/93843 I am suggesting to change the following in .htaccess:
# Protect files and directories from prying eyes. <FilesMatch "..."> Order deny,allow Deny from all </FilesMatch>
# Protect files and directories from prying eyes. <FilesMatch "..."> Order allow,deny </FilesMatch>
Because the latter is the correct implementation of "Default = Deny, Allow what is set" and is thus technically 'more correct'.