If you’re required to be in compliance to some sort of data storage regulations, you’ll need to consult those regulations to figure out what their requirements are. If you’re just trying to do best by your users, that sounds reasonable, although the obvious target would appear to be the location that you’ve stored the encryption and consumer keys. I’m not sure that being outside of webroot helps in case you have a vulnerability in your app which allows reading from arbitrary disk locations, for example, so locking down permissions and the accounts which your web services run under would be another place to pay close attention.
I would say that if your OAuth token database were compromised, it would certainly not be as bad as losing a password database. You’re always able to regenerate your consumer credentials on dev.twitter.com, which will invalidate the access keys created with the compromised key, which is a huge benefit of using OAuth.
