They can. Do you have access? So others might as well. Password theft, errors in server or application security. Thermorectal cryptanalysis in the end.

Only a few simple steps to set up .htaccess, robots.txt come to mind

robots.txt- has nothing to do with access control, it's just some kind of agreement between the Google bot and the owner of the site, allowing not to complicate life for each other.
.htaccess- this is the Apache config , which determines how the web server processes HTTP requests and what, how and to whom (authorization / user sessions) returns in response. The web server can be made to give / not give the contents of the file system as you like. In general, the content of a "site" (such a vague concept) "showed" (available) to an HTTP client does not necessarily repeat the directory structure in the server's file system (the notion that the web server "opens" the contents of the file system on the Web has historically developed due to corresponding to the architecture of Apache, which was originally designed for static sites).
Even without any configuring .htaccess on all serious hostings, by default, only the content is publicly open public_html(only on very school hostings, public access comes from the root by default), everything that is higher in level is inaccessible from the Web side (unless you specifically open it through .htaccess ).
Много таких "идейных" по весне оттаяло. Везде они могут получить доступ (на словах), хацкеры диванные, попугаи-попугайчики.