Autogenerated .htaccess is for apache 2.2
Interestingly it works anyway because it returns a 500 error if you try to access files, so it doesn't seem like a security issue, but it's obviously not what's intended.
In CRM_Utils_File::restrictaccess it creates a default .htaccess file that uses the Order directive. This doesn't work in apache 2.4.
Not sure if apache 2.2 is officially supported. It doesn't say in the Requirements documentation. But even if it is I'm thinking 2.4 should be the default anyway. Something like "Require all denied"?