The template options allow you to link to external files, which reside in a directoy of your choice under Site Root. These linked files are obviously valuable in the sense that they contain the product of your design work, and reflect your ability to use Movable Type's templating language.
Is it necessary at all, as a user/administrator of your MT installation, to take any steps to secure (password-protect) a directory with such files on the server?
Reported on Movable Type 4.2
Let's put it differently: If somebody were about to somehow get all files on your server, how much time would it take - 2 years, or 2 minutes - a degree in computer science or a free tool and some curiosity?
Does Six Apart offer a word on this topic?
It would be a good idea to password protect the directory if you has sensitive information in your templates. Only you can know that for sure, but the default templates, for example, are completely harmless. There's nothing in those that is sensitive.
All of that said, why link the files underneath the web-accessible part of your server? You can link them anywhere on the entire server? The whole question is rendered moot if you just link them elsewhere.