How would that be a security risk?
Since a PHP script in your domain directory can access anything in your user directory, the only real difference is that they won’t be able to directly access the files from the web.
Otherwise, it’s not like people can view the source of your PHP script and see where you’re including files from, so you could just keep them anywhere in your domain directory… avoiding something obvious like example.com/includes/, without an index file.
But… that is just hiding them, not preventing access, like putting them outside of the domain directory.
Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.