Themes are in webroot, because they containt web assets that need to be accessible with web browser (CSS, Js, images, etc). Views are in same location to make themes consistent and allow easy moving theme from one project to another (you just copy single directory).
To make it more secure you can put .htaccess in views subdirectory of theme with “Deny from all”, so view files won’t be accessible with http request. htaccess file will work in Apache, for other webservers you will have to configure access restrictions elsewhere…
I can second the wish to use themes but have the theme views in protected. In my app, I have a default theme that s oriented towards desktop users. However, it has turned out to be not so good on my android phone, so I created a mobile theme which to most extent is just a css file but for the main view it would make sense to use a different view.
I ended up not using the built in theme framework and instead have if-statements in my code that output the "default" theme in different ways depending on which theme that is selected in my own theme selector component. This way I can add tweaks here and there to the HTML output while doing most of the customization in a css file in the usual place.