The wp-config.php file is unlocked, but is not re-locked for a technical reason during the ini_set Options setup so yep you need to lock it again after that is done.
The /bps-backup/logs folder is .htaccess protected by a Deny All .htaccess file, which means that the bps-backup folder is not accessible to anyone except for you. Also since WordPress plugin installations delete all plugin files, including your php error log, before installing the new plugin files then what would happen if you were using the old php error log location in the /bulletproof-security/ plugin folder is that your current php error log would be deleted. This is the standard/normal way that WordPress performs plugin upgrades/installations/updates. So by storing your php error log in the /bps-backup folder it is not deleted when you upgrade/update BPS Pro.