Like runfast suggested it should not require 777 or a+w permission.
Alternatively it should also create a .htaccess file to block direct access to the backup directory.
Any download should be done via Admin and not via direct URL acccess which is now possible if you can guess the URL.
Here is an example of .htaccess file with hotlinks protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://example.org.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://example.org.uk$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.org.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.org.uk$ [NC]
RewriteRule .*\.(zip|pdf|sql|jpg|jpeg|gif|png|bmp)$ - [F,NC]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
Make sure to replace example.org.uk with your own domain.