Password protection through .htaccess is the wrong way to go. (And it's not a dumb question. A dumb question is "are you mad at me for A or for B?" - especially if she didn't know about A or B and was mad at you for C.)
If the root "htdocs" directory for your domain is
then browsers have access to anything in public_html or anything in a subdirectory of it. YOU, however, have access to anything in
and anything that is a subdirectory of it, and since CGI programs run with the same permissions that YOU have from the command line, this allows you to have your CGI programs use files which CANNOT be accessed from a browser.
For instance, you could have
where yahoo.com, amazon.com, and disney.com are your domains (so dream a little!) and data is a directory which cannot be directly accessed by the webserver.
You could put files in that data directory which are accessible to CGI programs run on any of the domains, yet would not be directly accessible to browsers.
In most cases, you can use existing scripts by entering "/home/username/data/myfile.txt" instead of simply entering "myfile.txt" as the name of the data file.