Should the web server be configured to disallow serving the .smw.json file?
After reading the comments in GitHub, and the edit to the Help: page, I'm still not sure what the recommendation is.
It seems like the file does not contain any sensitive data, therefore no need to worry about it. On the other hand, MWJames said treat it like LocalSettings.php -- which does normally contain sensitive data -- but that sensitive data is not revealed as long as the webserver is operating properly. In other words, a site admin doesn't have to do anything special with respect to "protecting" LocalSettings.php.
If protection is warranted, then perhaps I should submit a patch with something like
.htaccess for SemanticMediaWiki directory:
<Files ".smw.json"> Require all denied </Files>
This file does indeed not contain sensitive data. It is here to assure best operational experience though people are around who challenge this assessment, but this is another story. Anyhow, if you would like the file to be protected additionally when you can indeed do this on web server level. This can very well be documented here. Same goes for the "elasticsearch.profile.json" file if you are using this.
