If we don't want to show any file or folder to 'Anonymous user', 'Authenticated user' then we have 2 options.
1. We can set the 'Permission' for this file or folder.
2. If we are using Pantheon server then we have 'pantheon.yml' file on root.
Write the code there.
protected_web_paths:
- /web.config
- /core/package.json
And this way easily we can protect our file or folder from unknown users.
Note: If have any suggestions or issue regarding 'How to protect file from public access in Drupal 8?' then you can ask by comments.
