Can you tamper with the query string below to access a private file?

Yep! You accessed a private file of passwords. Path traversal is sometimes called a dot-dot-slash attack since "../" climbs server directories.

Isn't index.html a public file anyway?