Perhaps try using Responsive HTML as an output type?
Even then there's still a lot of messages going forward and the ehlpdhtm.js is shared across outputs.
But the postMessage option used is safe since you need to write code specifically for getting these messages. No hijacking can just be done through this. (See also Window.postMessage() - Web API Interfaces | MDN)
The concern here is the domain policy in the call where the * is too permissive. But since the help can be placed on any given URL, there is no way for Adobe to do it differently. Personally, I don't believe this is an issue as postMessage is meant for secure communication and it's not something you can just hijack.
I will pass that along. I'm not in direct contact with the customer's security people, so I don't know their level of concern beyond what was passed to me.
In any case, thanks!