Unless I am not understanding the code correctly (highly possible...), once the bootloader has restarted into DFU mode, no bond is required to upload new firmware. This works great if you have to physically press a button to enter DFU mode.
Not so safe when doing it buttonless since anyone with "nRF Toolbox" could potentially upload an image. Yes, I know there is DEVICE_TYPE and DEVICE_REVISION as a safety check.
Is it possible to require being bonded to the application before allowing the restart into DFU? Maybe by changing the security setting of one of the dfu characteristics? I know the DFU bootloader changes the gap address, so the bond wouldn't be valid anymore, but that's OK if you can prevent getting into DFU without a bond in the first place.
Thanks.