The "install" part enters the equation when the attacker finds that install.php.bak . That backup file might contain database credentials, admin emails, or even the server’s file structure. Combined with the private images, this becomes a full-scale data breach. Attackers do not manually browse websites. They use Google Dorks (advanced search operators) or automated scanners. The keyword "parent directory index of private images install" is a derivative of classic Google Dorks.
The solution is trivial: It takes ten seconds to add Options -Indexes or autoindex off . It takes a lifetime to recover from a leaked private image.
Options -Indexes To be extra safe, also block access to any file containing install or config :
location ^~ /private-images autoindex off; deny all;