I wasn't commenting on the security implications. My point was that bleeding implementation details like .php in your URLs is silly because that URL might end up being served by a Node app one day.
But on the security point, a URL ending in .php does imply a "we just YOLO'd a bunch of bare scripts into the webroot" application architecture, which is not confidence inspiring as a user and sure looks attractive to pentest.