You could also, as you suggest, store the 'private' pages outside the public area. Public pages can still read the private pages (subject to permissions, of course). A simple way to read them is with include() or require_once().
In fact, if you have include files then it is generally a good idea for security to store them outside of the public area so they cannot be executed directly by users. A private area also helps keep sensitive information like database passwords secure, because sometimes web server decide to serve your PHP source rather than the results of execution.