There is no security breach to allow access to the fields ( I do not like the term attribute for this , yet more in this context). At most it's an encapsulation break, but it still depends on the case.
If you only have the private field, everything normal, no problem, you can do at will. The problem starts getting more complicated when you have both.
In fact nothing prevents you from accessing one or the other as needed. Obviously, direct field access only allows you to pick up the value and change its value. The getter / setter methods may give the impression that it is a common access, but they may be performing other actions at the time of access or assignment. So they are only equivalents by coincidence. Their purposes are different.
The ideal is to access by methods (when they exist) to maintain consistency. But if you have a good reason to access the field and know of the implication that direct access will not perform the actions normally set in the methods, that's ok.
Then the answer is depends. The most important thing is to understand that the call of one or the other potentially has quite a different semantics. This can be very confusing.
Methods are usually slower, but when accessed privately, there is an optimization, and the method call is likely to be replaced by its code ( inline expansion ).
As a matter of curiosity, methods are created by default by programmers, even if their only action is access and direct assignment without doing anything else, that is, it does the same as if they were accessing the direct field, because if one day of the methods, they were already being used. If you start by making the field public and one day you need to add a processing to your read or write access, then the method will have to be added by changing the public API and requiring all of its consumer codes to be changed. Creating an abstraction increases encapsulation and improves decoupling by hiding deployment details.
So if the code will only have access to the field privately OR you are absolutely sure that you will never have a method to access that field, you can expose the field. If you can not guarantee this, it is safer to create the methods. Unless the API is not so public and accepted to change consumer codes.
What is best depends on each scenario. What you can not do is nail the decoupling and expose the implementation detail, which is the field. Or you will have one benefit or the other.
I replied something similar about C # .