Despite the recommended Nginx configuration explicitly denying files under vendor/, Matomo ends up serving up the vendor/composer/installed.json file due to a separate vendor/.htaccess config blurb:

# Allow to serve static files which are safe
<Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$">
		Require all granted
</Files>

which is generated by this code.

It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json