There's no problem in embed well audited dependencies, noone would be better secure than use directly libsecp256k1 (maybe the system overall could be fragile in case of a vulnerability discovered, but for your software is the best option).
The problem is take shortcuts to add features instead of build slowly (and sometimes simply dont build at all) less necessary things.
Some of these shortcuts consist in embed to much and low quality dependencies, or use frameworks and make this shortcuts squared.