The GWT dev plugin requires the webserver+codeserver pair of host+port to be whitelisted so there's absolutely no security risk in deploying hosted.html. The benefit of deploying it is that you can debug your app with your production server.
Note: that necessary whitelisting is to prevent “XSS triggered by a simple query-string parameter”. An attacker could otherwise make you run a trusted GWT app with their own code server.