Almost. The never-called code path may nonetheless reside in memory under control of a process with certain privileges, which does make it a tad less secure than a binary resting on disk. It’s also far more likely to be invoked by mistake (a bug) and you can’t totally remove it or take away its execute flag to drop that risk to basically zero.