I dont see any security threats since now in the new situation the Userhelper will be garbage collected, when Person will be garbage collected (when it is no longer used on page).
If you want to be sure, you should make an association from the Userhelper to the Session (System entity) with delete behavior that removes the Userhelper when Session is removed. This way you are sure the Userhelper object no longer lives than allowed and it wont be garbage collected as long as the session runs.
This is a hard one to answer without the model. You should a tool like the security inspector: https://marketplace.mendix.com/link/component/106594 to double check if this is an issue or not. Because if the end user can now see more more data about the Person object it might be problamatic. But if the person can only see it's own Person data it is no problem. So do use such a tool or Javascript to check this.
Regards,
Ronald