By default coding such as default view/layout better put in protected directory because once who know yii packages structure and naming, then guess file in such folder easy.
By customer coding such as theming, much of structure and naming is different in different themes and beyond scope of basic security
Perhaps, default view or theming is ok not in protected folder, in other framework can be add by YOURSELF
Yii having CAssetManager that is a Web application component that manages private files and makes them accessible by Web clients, that maybe wat u looking for
Themes are in webroot, because they containt web assets that need to be accessible with web browser (CSS, Js, images, etc). Views are in same location to make themes consistent and allow easy moving theme from one project to another (you just copy single directory).
To make it more secure you can put .htaccess in views subdirectory of theme with “Deny from all”, so view files won’t be accessible with http request. htaccess file will work in Apache, for other webservers you will have to configure access restrictions elsewhere…
I can second the wish to use themes but have the theme views in protected. In my app, I have a default theme that s oriented towards desktop users. However, it has turned out to be not so good on my android phone, so I created a mobile theme which to most extent is just a css file but for the main view it would make sense to use a different view.
I ended up not using the built in theme framework and instead have if-statements in my code that output the "default" theme in different ways depending on which theme that is selected in my own theme selector component. This way I can add tweaks here and there to the HTML output while doing most of the customization in a css file in the usual place.