Suggested by Tim in the code review for https://gerrit.wikimedia.org/r/#/c/384930/
Most secret information like database passwords are kept in LocalSettings.php, so blacklisting that file by default would take away a lot of information an attacker would want.