I'm not sure. PProPanel declares (in its manifest) the path to one .jsx file; from within that file, it loads any others, from within its directory.
Your panel could download a .jsx file somewhere, but don't save it into your extension directory, or you'll un-sign your panel.
That downloaded file may need to be in place very early, if you want its functions to be available throughout that PPro session...
Fetching over http is a very bad idea, this is prone to server attacks as well as man-in-the-middle attacks. There's a reason why Adobe requires Panels to be signed...
I asked this question 3 years ago... we have implemented loading of JSX over HTTP for our panel extension, whereby the ZXP only consists of a simple iframe, and the application itself is loaded over HTTP into the iframe.
Having said that - this is indeed a big concern in terms of security. We are currently in the process of rebuilding our panel so that all application logic is signed, sealed and delivered with the ZXP.