Huh? One of us is having difficulty following this discussion, is it me or you? If I try to backtrack through the thread I think we are discussing a command using foo.sh as a temporary file;
You've assumed foo.sh is a temporary script. It was my invented name of the OP's script (because this wasn't specified by the OP) that contains the function xxx that the OP is wanting to use. No new files (temporary or otherwise) need to be created.
If the OP's script is in a location where it can be modified/removed/replaced by someone else then that's a problem, but it affects all of the proposed solutions, not just mine, as they are all as susceptible to modification/replacement.
And yes, with that solution you've got to clear it out if you want to run it again on another set of files, but that's not exactly tricky. And it was only a suggestion in reply to the point about forking/execing bash for each file.
If you're going to go down the security route then I'd concentrate more on the binaries that are specified within these scripts without full paths which opens the door for PATH and alias style attacks.