Apache configuration and security

Hi all, sorry for maybe a dumb question, or if my google-fu has failed me.

I’ve installed nextcloud, located the data folder outside of web root. However, should I be worried that extensions/“apps” appear to be in web root? E.g. if an attacker knew the URL could they download my bookmarks db?

If so are there recommended apache configurations that I should look in to?

Thanks!

This should not be possible if the apache settings are correct, here is an example configuration:
https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#apache-configuration-label