Came across an alarming feature the other day, my wifi QR code was publicly accessible online! (see my specific query here = tldr I use the duckdns method to connect remotely, image used in picture card for guests to log on via the wall-tablets).
It seems there is little reason to have the domain.tld:8123/local/ directory available to anyone with the file names and locations. As well as potentially sensitive floorplans (valuable items and cctv locations anyone?!), profile pics, qr codes in my case, etc. HACS stores its frontend files in the www directory, not sure if theres any risk there but I’d rather as little as possible was accessible without auth.