With the default config. I can request any .js file from my server through the \join prefix, ie: http://localhost:3001/join:app.js

app.use(joinio({
    dir: __dirname,
    prefix: '/join',    /* default */
    minify: true
}));

Although I can protect my backend with different dir path, but should this be noticed beforehand?

Actually this is what join does. It is just joins any files from the dir. You should definitely put files you do not want anybody see to other directory.