Maybe you’ve seen filesystem root folders named “public_html”? In this case, the hint is what’s inside is not “private”.
Alongside the filesystem root folder you can see other folders and files. If you didn’t make them and you don’t know what they are, tread careful. BUT - you should be able to easily create a filesystem folder alongside the others and put sensitive information, private files, etc. in it. eg. “db-logins” or whatever makes sense to you.
The key difference is that PHP can access what’s in the filesystem below the site’s area of the server. HTTP requests can have access to what’s under the filesystem public root. PHP can access what’s in the filesystem below the site’s area of the server including what’s under the filesystem public root.
Doing more outside of the site’s area is what I call “server administration” and largely “only when I absolutely have no other choice” but as long as you don’t overdo things it should be OK. I suppose if in doubt ask your host first? I don’t imagine most would mind a bit of config / directives but mega TB would likely get attention.