We wrote a blog about ELK + Hypernode + log-courier; https://elgentos.nl/blog/logging-magento-logs-with-elk-stack/
Filebeat seems a plausible way to go at this point in time.
I'd say deny access by default and document how to open them up, like you said. What would be the use case for having for example a .modman folder publicly accessible?
Accessible internally or publicly?