In addition to the previous posts ...
Your web server runs as user "nobody" or "apache" (if you're using Apache).
If a malicious intruder guesses the password for user "nobody" or "apache", they have read/write access to any file that "nobody" or "apache" has access to. Which means ...
They can now read/modify any file accessible by your web server's "user", including any files stored in directories accessible by "nobody" or "apache".
By storing the sensitive files in an alternate directory, preferably outside of the "normal" web server directories, you have the opprtunity to restrict access to sensitive files, or to at least establish a different authorization mechanism for those files, which reduces the chance that they will be compromised.
You can usually set up any authentication mechanism (i.e. mysql login) in a less-susceptible directory, and use the various PHP authentication mechanisms to get into those sensitive directories by using a different username/password combination from the default web server username/password combinations ... reducing the chance of compromise.
Check out the various encryption methods available to you in PHP, realizing that many of them have been compromised on a global basis, for specific instances at a very profound level. For example, SSH0, SSH1, MD5 and others have been found to be able to be compromised by very sophisticated, very specific ways ... probably not for you to worry about in day-to-day implementations, but worth researching.