They are not a security mechanism because access is not restricted – usually the intent is simply to not "clutter" the display of the contents of a directory listing with files the user did not directly create.
[6] A convention arose of using dotfiles in the user's home directory to store per-user configuration or informational text.
[7] Many applications, from bash to desktop environments such as GNOME, now store their per-user configuration this way, but the Unix/Linux freedesktop.org XDG Base Directory Specification aims to migrate user config files from individual dotfiles in $HOME to non-hidden files in the hidden directory $HOME/.config.
[8] The Android operating system uses empty .nomedia files to tell smartphone apps not to display or include the contents of the folder.
In the GNOME desktop environment (as well as all programs written using GLib[9]), filenames listed in a file named .hidden in each directory are also excluded from display.
In addition to the "dotfile" behaviour, files with the "Invisible" attribute are hidden in Finder, although not in ls.
Under Windows Explorer, the content of a directory can also be hidden just by appending a pre-defined CLSID[12] to the end of the folder name.