Ah I think this slipped through because of a late change to the tracker. In an earlier version there was an explicit check for the path /.well-known/security.txt and we should have also added one a similar path in the pluginfile pathinfo. It was changed later in the process because MDL-69877 also ended up doing the same thing differently and landed in parallel. I'm pretty sure we did hit that edge case in nginx and we fixed it, the order of the declarations matters which is why nginx works, but apache was not tested in the end.
/report/security/index.php?detail=core_publicpaths
Tracker here: https://tracker.moodle.org/browse/MDL-72132
/report/security/index.php?detail=core_publicpaths
Tracker here: https://tracker.moodle.org/browse/MDL-72132