For an example if I have a mail script or a script that writes to a database – scripts that do not echo anything important (other than a thank you, or an error message), but do a lot of important back-end work.
What could the possible security concerns from accessing them directly be?
Is it worth preventing direct access to such files?
They are receiving data using $_POST/$_GET sent trough contact forms and then either mailing it or writing it to a DB (in both cases after good validation).
Still, can the data that is being worked with there be accessed somehow (other than cracking my account and downloading them :)), since obviously opening such files in browser will not give any results to the attacker?
Server misconfiguration
The security risk is, in case the web server fails to execute the php file (because configuration was reset), it’s source-code will be displayed inside the browser as plain text. And you probably want to prevent that.
Wrong Context
Next to that scenario, another problem is, if the file actually does something with your database data for example, calling the file even w/o any direct output will have influence of indirect output. This is normally unwanted as well.
In your case it sends an email even, so direct requests can be used to send emails. That is probably unwanted as well.
Not to mention the risks this can have in getting your stuff penetrated. Not that this would be the only place where it is possible, but you should keep the surface small.
Improved File-Handling
The best approach however is to store the applications code outside of the webroot, so that those files are never accessible by a direct HTTP request.