Thank you for this great suggestion!
They are not, but are answered directly by nginx: desec-stack/www/conf/sites-available/10-dedyn-checkip.conf.var at main · desec-io/desec-stack · GitHub (look for return)
This is about as cheap as sending a “429 Too Many Requests” response 
Those are unprotected responses, so a capable attacker could spoof the response, and then cause your update client to make a request to place a malicious record in your domain’s DNS.
It would not be a big issue to make an exception for that specific query name to be signed on the secondaries.
We already do that for RFC 9615 bootstrapping records, those are signed on the fly on the secondary:
$ dig +short _dsboot.dedyn.io._signal.ns1.desec.io CDS +dnssec
35233 13 4 CE807E76229D64AAE886B2732355BDD68E2C9D1039609085DFE15933 FE031C71981A7FA77F45B22192F76724A9B29FB9
35233 13 2 9C672AE324884F9A0174330CA7644F6960172C1D94023F946F707639 BE6D3AB0
Stay secure,
Peter