[Jon]

It is the ideal method but just putting them in a folder above public_html i.e. /home/httpd/domain.com/public_html/store/files/ will work if you have an .htaccess file in it denying access to the files. It's just a bit less secure because the .htaccess could get overwritten or deleted, etc., opening up the files.