Yeah, I have definitely never heard of port 3838 being "a security vulnerability." As was mentioned above, that is just the default, which can be changed. When you say "used with sensitive data," I immediately start to think about authentication / etc., which I know you mentioned is not a concern. It would probably benefit you (and the discussion here) to dig a bit more into understanding your IT team's concerns. Rest assured that many people and organizations are using Shiny with sensitive data.
The only "port vulnerabilities" are usually the "privileged ports" from 1-1023. The things that an IT team is normally more concerned with is the use of HTTPS, scaling, access controls, cross-origin requests, etc. All of those things can be managed yourself in Shiny / Shiny Server / nginx, or configured in professional/paid software like RStudio Connect.