no, there is not a way to change the default paths, and using the standard paths should not be a problem.
those files do not contain any code that is readable by a web browser. to see the contents of those files, a hacker would need to access the source code directly through the file system
even if they where stored outside of the web root, if the hacker gains access to the servers file system, they will still be able to access those files and the content.