No, your code in the server directory is safe. The difference is on how you use/access those files. Files in your server directory will be loaded/executed on the server, and they would also be difficult to access using the filesystem in the running app. Content of files in your private
directory is available as an asset. See http://docs.meteor.com/#assets for full details.
The thing to note is that your server code does not execute in your server directory, but will have a current working directory that is a temporary build directory within .meteor. So if you wanted to use, say, the fs
node package to read files in your server directory, you'd first need to find it. Moreover, any new file or a file change in your server directory will trigger meteor to restart your app. There are scenarios where you don't want that. So private
gives you a place to handle files that do not affect the execution of the app.
Another way to think about it is that private
is for the server what public
is for the client.