vendor should be accessible (it should at least be readable and writable by your webserver, readable at most for anyone else) as that is used by your webserver to service some components that are not part of the DokuWiki installation. Most importantly, geshi the syntax highlighter.
what can someone do if they do have access to these directories from the web?
For inc, tpl and vendor: if they have read access (which they should), not much. They would get the same files from downloading DokuWiki anyway.
For data and conf: if they have read access, they can access your userlist and your hashed passwords, as well as your plugin configuration (which might include auth models) and word / domain blocklist if any.