We're still using core's default behavior of naming the config directory by using an md5 hash of the database connection information, which is security-by-obscurity:

$config_directories['active'] = 'files/config_' . md5($database) . '/active';
$config_directories['staging'] = 'files/config_' . md5($database) . '/staging';

Pantheon now provides a protected_web_paths option in the pantheon.yml that will more securely prevent anyone from being able to access these files.

For new installs, I'd like to recommend that we include files/config in the list of protected paths, and replace the config locations as follows:

$config_directories['active'] = 'files/config/active';
$config_directories['staging'] = 'files/config/staging';

Would it be possible to make such a change without affecting current sites?