there is wp-tinymce.php file in /wp-includes/js/tinymce. The files in the folder don’t follow best practices and raises some doubts (e.g. Shield Security Unrecognised Files: wp-tinymce.js.gz).
The reason of wp-tinymce.php is to detect if browser supports GZIP and if so, the static gzipped version of TinyMCE is served (wp-tinymce.js.gz) + expires headers are set. I think it is not necessary today - almost all browsers supports gzip and webservers can handle the compression and headers themselves.
The same logic is performed in the class-wp-editor.php, so the function of that PHP file is redundant.
Besides,It is suspicious to find “.php” file in the “/js” folder. The wp-tinymce.php is only file in wp-includes which is called directly. if you remove this request, you can apply stricter security rules and harden you installation by blocking all direct HTTP requests for PHP file from wp-includes.
I suggest to deprecate wp-tinymce.php and load regular TinyMCE JS from the class-wp-editor.php.