Not safe, let's remember the leaks of all SMS messages from major mobile operators 5 years ago.
It can be stored in txt files, but since there is php on the server, then give it through it. That is, the "base" of the files lies in a folder that cannot be accessed from the outside, but PHP itself can look at the folder and read files. Let this php give out the content of the files for the duration of the session. The same php file also defines the rights to access data, if there is a multi-user option or just password access.
Through mod_rewrite, you can simulate the extension .txt in the address bar, and through the content type the format text.

Any question with the text "is it safe ..." begins with the proto-question "who am I protecting myself from?". Since there is "safety", then there is "danger", isn't it? So who is the "danger"? Hacker Vasya from tyrnet? Server admin? Comrade Major?

Secret settings, keys and passwords must be written to environment variables.

if the server is compromised, the data will not be protected

Use uuid in the file name and it will be impossible to guess :) But that's only if you turn off directory listing on the server of course.
Many CDNs work this way! For example, if you look at the preview url of a video on YouTube, you will see that the url is very long and unpredictable. Even if this is a private video, the url on the preview in the incognito tab will be visible!