Up until Magnolia 5.3, /.resources was used only for admincentral resources. Presumably, that's why CrossSiteSecurityFilter is configured by default with a bypass for this path.
Starting with 5.4 and resources module 2.4, /.resources will be used to serve resources (through ResourcesServlet and new ResourcePath API). Maybe we need to change the default bypass to make this more visible to users upgrading ? And/or simply document this ?