HTTP basic authentication is very easy to set up and maintain (and keep secure) on pretty much every webserver ever made.
A dynamic system PHP like Lychee is very hard to infeasible for an average non-technical user to keep maintained and secure. Even technical web developers have trouble keeping php projects secure over years. A static webserver with http basic auth is more secure now and incomparably more secure over 5-10 years. If you are worried about security then definitely do not give a third party PHP system access to your files.
A dynamic system PHP like Lychee is very hard to infeasible for an average non-technical user to keep maintained and secure. Even technical web developers have trouble keeping php projects secure over years. A static webserver with http basic auth is more secure now and incomparably more secure over 5-10 years. If you are worried about security then definitely do not give a third party PHP system access to your files.