Put them below the public html folder, so if your directory structure looks something like
'/var/domains/example.com/htdocs/...all this is public'
Then put the htaccess in the htdocs folder, as then it is below public access level and if someone has hacked into the server then you have larger problems than what CHMOD to give these files.

Although this is not really my area as this is server set-up, I have tried to put my htaccess to 600 and it wont allow it. It will allow 644, so everyone can read the file. I am guessing that as each call for a page is made by 'nobody' that they need to have permission to read that file. Otherwise the server would not be able to serve them, as they couldn't call the htaccess file. However this could be something specific to the ftp program that I am using or my system. So would be interesting to see what others think.