alternatively, if there's a vulnerable script on that server, someone could exploit it to read your PHP code.

example:
vuln.php (very simplified)
<?
echo file_get_contents($_GET['thefile']);
?>

then someone could request this:
vuln.php?thefile=/path/to/your/script.php
and receive the source to your file.

while none of your scripts may be vulnerable, if you're on a shared server, any of the other sites hosted on that server might be exploitable.

and yes, it's unlikely that vuln.php will exist exactly as in the example, but lots of scripts read files, and if the paths to the files are sent via user data (get,post,cookie), then they can be exploited in this way.

Also, if someone is on a shared server, they can sometimes read all the file on the server, eg:

read.php:
<?
echo "<pre>".file_get_contents("/etc/passwd")."</pre>";
?>
works on most servers, also:
<?
echo "<pre>".file_get_contents("/home/vhosts/anothersite/public_html/theirscript.php")."</pre>";
?>
will work on a few badly configured servers.