As the data transfer is usually implemented, sftp is okay; and actually the files might as well be sent over common email, if they're properly formed (encrypted;signed;format that doesn't allow replay attacks) - breaking that ftp server could only delay service, as you'd know that the transactions didn't go through as intended and would use a backup channel to send them.