The webserver should not need to directly serve files in the maintenance directory (I would suggest that php files should still be able to include stuff from maintenance, although strictly speaking i'm not sure how necessary that is)

The scripts are designed so that nothing bad should happen if your webserver has access, however if you are paranoid, I would suggest restricting access.

Generally the only thing that needs to be directly accessible by the webserver is the php files in the main directory, the images directory, the extensions directory [mostly for backwards compat], the skins directory [for backwards compat, not needed for most modern skins], maybe the resources directory [particularly in debug mode] and the mw-config directory during install and if using the web updater. Of course, the php files in include need to be readable by the webserver, but they don't need to be directly accessible. For example, Wikimedia sites restrict what's accessible via stub endpoints in https://github.com/wikimedia/operations-mediawiki-config/tree/master/w and https://github.com/wikimedia/operations-mediawiki-config/blob/master/w/static.php to serve static files.

If you are using apache this might already be the case since there is a .htaccess file in the maintenance directory.