The idea behind this approach is to disable direct access of the website visitor to the PHP scripts and, if the server is misconfigured (e.g. the PHP interpreter is disabled for some reason, other hosting issues), disable access to your scripts source code and configuration settings (database access details). This also makes access to the user uploaded files (images, documents) and encrypted session data impossible. And the most important is that site visitors can not get to the /vendor folder that includes 3rd party packages.
There is nothing to protect in the /public folder, any client or bot can access all files in the /css or /js folders. robots.txt is included to let any bot access any open resource on the website.