It must always run at http://localhost/. There is no room for debate.
Running it at a URL like http://localhost/public/ is completely wrong.
The reason attacks attempting to read the http://localhost/.env file have been increasing over the past few years is because beginners who don't understand this accidentally expose their .env file.
public directory is the web server's document root. Do not expose anything outside of the public directory to the public.This is the most basic of basics. It is extremely dangerous for those who do not understand this to use it incorrectly.