The dangers here are not theoretical. Security researchers have documented countless cases.
location /private autoindex off;