Since the .user.ini is read from public directories, it's contents will be served to anyone requesting it and potientially show them sensitive configuration settings.
Add these lines to your .htaccess to block requests to it :
<Files ".user.ini">
Require all denied
</Files>