Basically, you work against Yii’s ‘asset manager’ and ask it to ‘publish’ some assets that your module has. You shouldn’t care how, where and why it does what it does. The publish() call returns the URL you then plant in your views files (to be referenced from client side).
That’s in a nutshell. Of course, you can deviate from this typical path and do things your own way. I strongly recommend first learning how things are done in the ‘traditional way’ in Yii, and only once you understand them well - consider your approach/design.
I strongly recommend reading this good wiki article to better understand ‘Yii assets’.
The assets folder is a publicly available folder while the entire /protected folder is… as its name implies - protected, and cannot be accessed directly from the web (and should not). Since the entire application, including your extensions and modules rest inside /protected, you need to somehow ‘publish’ the needed ‘assets’, and here we go back to the links already given above on the subject of the assets manager and ‘publishing’ of assets.