dotfiles often contain sensitive things (e.g. .git directory, or a editor swap files, temp files). We will serve them in the extension directory if they have a safe sounding file extension. For example https://en.wikipedia.org/w/extensions/WikimediaMaintenance/.phpcs.xml
While I don't think we're vulnerable in any way (We don't deploy .git files.), I think this is a good hardening step.
Fun fact: Under certain obscure circumstances (A lot of other potential file names taken), vim may use .svg as a file extension for its swap file!