A couple thoughts...

1.  Using TCP you can choose server-prompted mode OR client-polling mode;
this might alleviate concerns about who is connecting to the server --- in
concert with passwordaccess=generate and server authentication (which is
encrypted);
2.  The next version of ADSM will probably have data encryption support;
this was discussed at the last several SHARE meetings, acknowledged as a
requirement and (only recently) postponed in order to "do it right" ---
apparently, the developers had cooked up a proprietary design for their
implementation that didn't allow for plug-in support (for RSA or PGP, or
whatever)... now, they've gone back to design a way to support encryption
using whatever method a customer may already have (the default being RSA?).
This item was specifically discussed at SHARE this past February in San
Francisco.  Latest word is "maybe in V4, currently scheduled for GA around
4Q99".