The biggest reason I do this, at times, is in a cgi environment. I put all my logic in modules that are outside of the cgi directory. One day, if someone screws up the mime type for .pl or .cgi or whatever I am using, the worst you get are where my modules are stored and the names of them.. plus a function inside.

Hopefully, my webserver is setup correctly to never allow access to those directories. I can put in the extra precaution in my httpd.conf (apache) to disallow access to taht directory.. just in case someone breaks mime types. Won't work in a jail environment, unless I put them in my cgi directory AND put the disallow.

Anyway, maybe it's just being paranoid or a security nut. :)