From my understanding, public folder holds most static assets such as my index.html page and videos. Are these assets public/accessible to users?
I am wondering if I wanted to keep a video private and secure such as security footage, should I move the video to a different folder and not the static public folder where express is serving the static files such as my index.html?
The public folder that express.static() is pointed will be accessible to anyone in the outside world, so you should not put anything in there that isn't meant to be public. It's typically named "public" for that very reason - those are publicly accessible resources.
A private video that requires credentials before viewing should be kept elsewhere and should be accessible only through a route that verifies appropriate credentials before serving.
From my understanding, public folder holds most static assets such as my index.html page and videos.
Yes, that is generally correct.
Are these assets public/accessible to users?
If you don't have any auth check or credential check before your express.static() middleware, then yes these assets are available to the public.