Security: Should I move vendor dir and composer.json outside of document root?

Question 1

You should move it out of DOCUMENT_ROOT.

The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.

If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.

Question 2

You mention Symfony in your example link. If you're using Symfony, if your project is in .../project, then your document root is .../project/web and that's what you tell Apache or the server you're using to use. Everything else is your "app" (let's call it that) and it doesn't need to be provided to the public.

Question 3

You should hide this files from prying eyes.

Just organise files correctly. For example following structure:

proj
|-- app
|   |-- bootstrap.php
|   +-- functions.php
|-- composer.json
|-- composer.lock
|-- public
|   |-- index.php
|   |-- css
|   |-- images
|   +-- scripts
+-- vendors
     |-- package1 
     +-- package2

Put all your logic into app (also can be src, lib etc)
Put all assets in public directory (also can be www, webroot etc)
Put simple index.php in public where include your application bootstrap file from ../app like require dirname(__DIR__) . '/app/bootstrap.php';
Hide all the rest from public
- set webserver to serve files from /path/to/proj/public
- or, in case of shared hosting, secure root dir with .htaccess file:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule    ^$    webroot/    [L]
    RewriteRule    (.*) webroot/$1    [L]
</IfModule>

Please note: if you're using framework, especially MVC — it will be better to follow recommended by framework structure.