If the user your webserver is running as, is also the owner of the template files, then it could be possible that a website visitor modifies/deletes them if there is an exploit in eZ publish which allows him/her to do so. But in normal circumstances, there's no security risk.