Defender intentionally generates some logs into error.log. The doc and/or UI should explain this.
I'm was getting "client denied by server configuration" for /wp-defender files. To avoid localhost access errors, I added a .htaccess as a test to that folder. Then I got other errors.
Ref this thread where James was confused by the same error log.
I understand that this security software wants to make sure that its changelog and other files can't be read. So it intentionally tries to access files that should be restricted, and if it Can access those files, it flags a vulnerability.
I think the Defender UI should indicate in the UI when intentional and ignorable errors are being generated. Example, where the dashboard says "Scan your website for file changes, vulnerabilities and injected code, and get notifications about anything suspicious." Add "During this scan the web server may log to error.log. This are expected and can be ignored - if an error is Not encountered during a test, it means access to a resource is open and Defender will take steps to fix the problem."
That should help when a scan is performed. But note that the scan for file access is performed just when visiting the Defender dashboard - we will see errors in the log ("client denied by server configuration") without any actions, and that could be confusing to an admin. For this I recommend a note in the dashboard that the error log may show a few entries from a preliminary scan, and these can be ignored.