Yes, they should go in wwwroot. Currently there is no built-in way to secure wwwroot directories. But creating a middleware module to accomplish it is pretty straightforward. There is an easy to follow tutorial here.
If you’re not familiar with developing middleware, I posted a GitHub project that shows how to create middleware in three easy steps. You can download the project here.
You don’t need a controller to access static files.