By default the debug.log file is written to a standard folder and filename:
/wp-content/debug.log
This standard will be available on 99% of the websites. And because /wp-content/ is a publicly accessible folder (It also has your uploads folder with images, for example), the debug.log might be an interesting file for anyone with malicious intent, if accessible.
But why?
The debug.log might contain important or confidential information. If it extends to plugins that handle more sensitive data like usernames, passwords, emails, payment credentials, and so forth, it could be a security risk if not properly protected. It doesn’t mean any debug.log file is accessible or contains sensitive data, but in any case, changing its location will be much easier for peace of mind.
Where is it?
The new path will be random, and, therefore, almost impossible to guess if someone is scanning your files and in this case would only choose the known file paths. The default is filled with useless information.
/wp-content/debug_fmf5zl216w/debug.log