Hi Filippo,
Basically, the directory needs to be located outside of the web server Document Root Directory, as this will avoid people having direct access to it.
You might want to read the following docs:
http://docs.moodle.org/22/en/Moodledata_directory
http://docs.moodle.org/27/en/Installing_Moodle#Create_the_.28moodledata.29_data_directory
http://docs.moodle.org/27/en/Security_overview_report
http://docs.moodle.org/27/en/Security_recommendations