Looks like this is a defect. Ish.
As @s_ha_dum mentioned, this is to prevent a directory traversal attack. However, WordPress’ Media Library will happily let you upload a file with two or more periods in a row, even if ms-files.php will refuse to serve it up.
So, nothing is technically “broken”, but this certainly isn’t ideal. There’s a patch to prevent this, but it looks like it was never actually added to the core:
https://core.trac.wordpress.org/attachment/ticket/16189/check%20for%20double%20periods.diff
More info on this defect:
https://core.trac.wordpress.org/ticket/12756