We really haven't tested with FB's fallback from not having cURL installed. We're also moving towards using it more for some of our features (avatar importing for now, but other things going forward). Sorry your having difficulties, but I don't know of a good solution without it. Generally, cURL is thought to be pretty secure from outside attacks. Certainly, if you're installing unknown software, anything can happen, and cURL can be used in those cases for nefarious purposes.
I understand your desire to disable it, but don't know of easy ways around it. Let us know if you come up with anything, and if you can't get it to work (or don't want to continue trying), we'd be happy to issue a refund. It's not our intent to leave you alone up the river.