Files in WEB-INF are not visible to the users. It’s a bit safer that way.
If (a contrived example) you are including db.jsp, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp and get some insight on your application (worst – the database credentials) from the exception message.