When do=check is used, an attempt to fetch a file directly from the data directory is made. This test will often display "Failed" even if the data directory is not accessible.
When URL rewriting is not in use, the test improperly creates the test URL as "/doku.php?id=startdata/_dummy". If URL rewriting is in use, the URL it fetches may not return 403 or 404, but 200 with the standard "this page does not exist" message. Or worse, it may return a page with the text "data directory" that would cause the test to report a false-positive.
Is this test even necessary since data/security.png has been introduced? The two tests do the same thing. They both suffer from the same inadequacies when the data directory is moved (see
FS#2111). I don't believe there is an advantage to having the server attempt to fetch the security check, versus using an image tag.