I would say it is almost always a better choice to use directories. If you've ever tried backing up a large database using PHPMyAdmin then you'll understand why. Having said that, if you ever need to "transport" the Tiki database to a new server/domain, then the later versions of Tiki now include a handy feature to move files to the database and vice versa. (although this isn't necessarily required).
As for your question...
To Quote the Tiki File Gallery admin page:
If you decide to store files in a directory you must ensure that the user cannot access directly to the directory. You have two options to accomplish this:
- Use a directory outside your document root, make sure your php script can read and write to that directory
- Use a directory inside the document root and use .htaccess to prevent the user from listing the directory contents
To configure the directory path use UNIX like paths for example files/ or c:/foo/files or /www/files/
So basically you have two choices, outside of your public HTML folder, or inside but use rules. I can't advise you there one way of the other, my knowledge is not sufficient enough, except to say option one is probably easier and requires less modification.