Short answer: no more than the usual security any web server should be configured with. Long answer follows...
The PHP code is run on the server and only the results are sent to the browser; the user never gets to see any of the code unless
(a) you forget to put the <? ?> thingies around the code!
(b) the user gains access to the server's filesystem or
(c) the server doesn't know what to do with PHP files and serves them up as plain text or html without running them, or
(d) the server does know to run PHP files, but the PHP code is not in a php file.
Case (d) might need a bit of clarification. Many people have auxiliary files they include() into their main PHP scripts, containing things like database connections, common constants and utility functions. Often, they give them an ".inc" file extension. It's very likely, though, that their web server hasn't been ordered to treat .inc files as anything other than a plain text file. So if someone takes a stab and requests "database.inc" and there is such a file, they'll be given exactly what you don't want them to get!
They might not need to even guess, however, if the server is configured to give a directory listing in the absence of an index.{html/htm/php} file.
