Best place to keep files that are called by cron jobs?

Assuming you’re running cron jobs under your user account, it will have access to any folder that your account has read access to. If you do not need them to be publicly accessible, and you have access to a folder outside your public web root, then for security purposes you should put them outside of the web root.

However, if you are on shared hosting, this may not be possible due to open_basedir restrictions. In that case, you can either create a subdirectory under your main WordPress directory, or in your plugins folder. You can add an htaccess file to block access from the outside.