The alternatives (such as they are) in a case like this is to send out Action 3 instead - “download with nohash”.
This option disables hash-checking on the downloaded files, so it does raise your risk slightly (since we don’t validate the downloaded files, there is a potential for MITM attack). That risk should be reduced in this case, since we don’t execute the download files, we execute the already-installed ClickToRun updater and point it at these files as data, and ClickToRun should reject an update if it isn’t digitally signed, but in general, ‘add nohash prefetch’ is to be used with care, or not used at all.
There’s also the consideration that we only perform the download to the Server once for the action - if you send the action today, the files are downloaded now; if Microsoft changes the download binaries tonight, and you have a machine come online tomorrow and execute the action, it will still be using the “old” version of the files. And if you copy the action later, the new copy would get the new download files