I don't think you understand how composer works, we will add a custom URL with our authorisation tokens for our projects which will fetch directly from Invision's servers directly. It's no less secure than how the current update system is implemented already, just provides another method of integration.