WordPress is engineered exclusively to reside in web-accessible folders, unlike many less user-centric web frameworks, which separate locations of private (code, etc) and public (assets).
Making filenames hard to guess is about as good as it gets with normal workflow.
To have this really tight you would need completely custom workflow with files places into web-inaccessible directory and moved to public ones at the release time.