Your’re not paranoid. Most companies will have a “do not discuss security matters” in the Ops manual...

Whilst the text of what is in the relevant QRH/FCOM/FCTM (as appropriate) is no doubt in the public domain I’d hope nobody starts drifting into discussing anything beyond that.