Question: What should happen if a user tries to visit a block template or template part folder or file directly? Is there a potential security issue?
Answer: If you attempt to visit the folder then you may get a 403 or a 404 from the website hosting. If you visit a file then you’ll probably see rubbish.
Note: There shouldn’t be anything in template or template part files that could reveal sensitive information. ie There should be no hardcoded passwords, API keys or other information that must not be generally available.
The fact that some requests may result in a hosting company’s error pages has not been addressed.