Thanks for the review.
Good point, yes. It's not very secure, if you leave it as it is. But only for those who know the extension.
Although, it is created with the ability to save to an absolute or relative path, which means you can save the file even out of your public_html directory, which is totally secure.
Moreover, you can save the file in a custom directory or wherever you want. Another user saved the file as the mailing list file of an external program, with a custom file extension (instead of txt).
You can do stuff to make it quite secure, quite easily.