Core Extension felogin prevents Helmut Hummel secure web approach
The extension felogin does conflict with Helmut Hummel approach of secure web folder structure.
The extension uses TSFE->tmpl to fetch the tempalte file. This way it's always relative to the document root where no private files are available.
This needs to be adjusted to template files are searched within the typo3 folder.
The issue is the following line: https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php#L145
Bu using the TemplateService it will always be relative to document root.
As https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/core/Classes/TypoScript/TemplateService.php#L1351 tells to
Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.
This is definitively the wrong API usage, as templates are not frontend inclusions.
Therefore some other API should be used.