I've noticed that in the PHP web server project .git files can be accessed from the internet. With some effort, somebody could in theory rebuild your project's source code even if your project is private.
Technically it doesn't matter if your projects is open source.
.env files might need to be hidden, but you can just add that to
.gitignore. And the reason that PHP isn't really that good and uses the development server is because the repl.it team is more focused on technologies such as Node.js. It's technically impossible to hide the
.git directory since the development server isn't apache (although I have gotten it to work).