I noticed that the way ComponentSupport implements getResource(String path) that any file in the module's sar is available for download over the web, including class files.
If you design a custom module, make sure that you do not have any sensitive code in the sar. Another work-around is to override getResource(String) to have custom security logic (see HTMLModule) or just return null if you don't want to ever serve up resources.
-Scott