So consider adding a warning message to those who enable the log, and are not aware of the security & privacy issue.
By the way, what happen if you change the destination log file from .log to .php? That will probably make the file not readable by unauthorized users, and resolve the problem.
