Many php files in a WordPress installation are only used through require() or include(). Leaving them exposed to direct web access may increase security risks. Files such as wp-config.php has no need to be called directly from the web. For this reason it is ok to add a RewriteRule to the .htaccess file, redirecting requests for wp-config.php to a 404 page, for example:
RewriteRule ^wp-config.php /error404.htm [L,R=301,NE]

My question, for those of you that have already checked and tested which files have no reason to be accessed directly form the web, is: is there a list of php files that is safe to “protect” with a RewriteRule? By your experience, are there downside doing so?

I did search StackExchange and the web, and found very little about it. This question asked 12 years ago, has not a good answer yet: Which of WordPress’s .php files need to be directly accessible via HTTP?