Thanks for the feedback guys! I think you're all right.
I'm going to take the advice to ship with all core resources bundled and cache any further downloads to minimize the need for an active connection.
The resources are images, wave-files and configuration files (xml) and no executables so I (knock on wood) think I'm safe security-wise. I'll look into the topic further to reduce the risk for exploits because it's easy to make mistakes. I think I'm handling the download buffers correctly but I won't make that my famous last words
ps. When I said I download script files I meant behavior tree definitions in xml format. Not scripts that are interpreted.