Your response entirely fails to address the parent's concern about security. It's like responding to a RCE in your backend with "yeah it's there but we'll trust the users to not use it"
I do not understand your example. It would not be the user triggering the RCE but rather a 3rd party. In addition I do not see how it fails to address their concern.
They do not need to, and unlike "webapps" there isn't a remote server that can change the code that you are running at any moment.