um, no. If he puts the files in a web directory they are 'open to the world'. However, if he puts them in his users home directory, as suggested above, they are not publicly accessible and are as safe as files on a shared server can be.
Any extra protection offered by .htaccess is only relevant if he stores the files in a web directory, which would be a silly thing to do. .htaccess offers no extra protection for files not in a web directory.
Save [color=#CC0000]$50[/color] on DreamHost plans using [color=#CC0000]PRICESLASH[/color] promo code (Click for DreamHost promo code details)