To prevent malicious actor creating havoc in case of a breach I recommend that connectsecurepatch.exe and other binaries used for patch management is only present in the application catalog on devices when the global/local option of Enable Patching Status is enabled.

Please see the now closed ticket "Hardening Connectsecure agent and admin interface #55507" for reference.