These are just plain HTML templates which do not contain any security information. After parsing they all are transformed into "live" HTML which anyone can see by viewing the source of the web page.
.html extension is also because to show those files are allowed to modify in any HTML editor.
If you would like to prevent viewing HTML templates by public directly, you may use .htaccess directive like this:
<Files ~ "\.html|\.htaccess">
deny from all
and put .htaccess file under your templates/ folder.