While I don’t think that showing these files is insecure (after all everyone can check their content in the github repo), they are not needed for Matomo, so you can configure your webserver to return 404 for requests to them.
thank you for the information. I continue wondering why there are non-required files in the package, but however, I added the files to the list of files to delete after updating so for me this one is solved