I have 3 different laravel projects inside public_html (that is, one level below) on a shared hosting.
I changed each domain/subdomain document root path to point to the respective project/public folder (i.e. public_html/project1/public)
Additionally I put the Options -Indexes statement in my .htaccess files so people can't browse directly into my project files, and denied all access to .env files.
Is there still a vulnerability doing this?
I assume that when you mention public_html, that you are using a cpanel like shared hosting solution. In these scenarios, the apache hosting configuration and access to respective folders is managed by the hosting provider. That means you have limited access to restrict access to your code. Typically the hosting provider makes all files in public_html public.
So if my assumption on your setup is correct, the answer to your question is: Yes this is unsafe.
You may also want to know: How can someone install laravel safely on a shared hosting server?
You should follow the instructions from laravel-news. This article will show you how to pull out the folders that should be public and update your configuration to point to the sub folders that migrated to a new location.
Hope this helps.