There’s no standard location for private files, but you could create a
/srv/domain.com/public/htdocs/secure directory and set the default permissions for new files to
setfacl -d -m o::--- /srv/domain.com/public/htdocs/secure. As long as www-data (Apache) can’t read it, it won’t be accessible over the web.
Alternatively, you could just have a
/srv/domain.com/secure directory which Apache wouldn’t see to begin with (unless you modified the
DocumentRoot in the
/etc/apache2/sites-enabled/domain.com.conf vhost file).
There’s a few options available and the best choice will depend on your individual server setup I think.