When you edit a PHP file, before that file is saved to the filesystem it is now syntax checked to make sure there isn't something obvious that will break your site.
Every file that you edit is backed up before your first save to the filesystem and then on subsequent saves WPide will try and make a backup. It will save a maximum of 1 backup per hour to the server.
As you edit or more specifically save PHP files the restore button will display which will allow you to restore the most recent backup.
If your WordPress install is fully functional then you can use the file tree to browse all of your backed up files (plugins/WPide/backups..), if your WordPress install isn't responding then restoring the file using the restore button or directly via FTP/SSH is the only way.
The backed up PHP files cannot be accessed/restored from the web directly without the 40 digit nonce/key so should not pose a security concern. When you press the restore button WPide requests the backed up PHP file directly (not going through the WordPress application), passing a security key to the file you are restoring as a security measure so unauthorised users cannot restore or access backed up files.
This is just the first pass at the restore functionality. It still needs work as it only lets you restore the most recent backup (1 per hour remember) and it doesn't let you inspect the file you are about to restore.
I welcome your feedback.