Currently, MediaWiki's main entry points such as index.php, api.php, and load.php are in the repository's base directory. This makes it very difficult for anyone installing MediaWiki to follow good security practices and expose only the entry points via the web server, with all non-entry-point files stored elsewhere.
We should, instead, place these files in a subdirectory (name it "webroot" or "www" or "public_html", bikeshed later).
The drawback is that installation becomes more complex. Instead of just dumping MediaWiki into /var/www (or equivalent), someone has to set up symbolic links or configure the web server to serve MediaWiki's virtual base path from a different location, not only for the webroot itself but also for the various resources pointed to by configuration settings such as $wgResourceBasePath ($wgExtensionAssetsPath, and $wgStylePath), and $wgUploadPath.