I think your critique is more for WordPress than Bedrock/Sage. Serving “App files” in the web root is the reality you have to live with when using WordPress — and that’s probably why many people steer clear of WordPress in the first place. The security advantage that Bedrock provides is that your environment variables & secrets are outside of the web root.
Hypothetically, if we were to follow a more “Laravel Way of doing things,” we’d need to chuck out the entire WordPress admin dashboard since it needs to be in the web root, which would break compatibility with almost the entire WordPress ecosystem. IMO it wouldn’t be worth it, instead, it would be a much better endeavour to build a Laravel-based CMS.
For the sake of reference…
Default WordPress install
/var/www/public_html ← web root
Bedrock improves upon this, in the sense that it treats WordPress as a dependency, but since
wp-admin must still be accessible, it still needs to site in the web root.
│ ├── environments
│ └── application.php
├── web ← web root
│ ├── app ← themes, plugins, etc.
│ ├── wp ← WordPress
│ ├── index.php
│ └── wp-config.php
├── .env ← environment variables
Even WordPlate, which takes a more Laravel-y approach in terms of naming, still installs WordPress, themes, and plugins within the web root.