Config for protected folders in Apache should be done in vhost file
Currently a .htaccess file is used to realize folder protection which is not recommended (https://httpd.apache.org/docs/2.4/howto/htaccess.html#when). This should be done directly in the vhost file with an additional <directory>
directive. The .htpasswd file could go for example to /var/www/.../private
and not be accessible via web even if the user makes a strange config (or stay where it is).
(Background is that I had a user who set the option "Apache AllowOverride=none" for performance reasons without realizing that this disables the password protection)