This task informs about libexpat-1 in Gpg4win and what will happen to it.
There where some concerns because libexpat does contain vulnerabilties and this library will be installed if users install Gpg4win.
I am assuming the following: GPA uses the GTK+ framework which needs the library fontconfig. That library again is using libexpat.
Fact is: libexpat is only used internal. That's why it is no security risk.
When users install Gpg4win it is now the case that libexpat will also be installed even if users didn't choose to install GPG. There is another task (https://dev.gnupg.org/T5877) and probably the dependencies will be adapted so libexpat will only be installed with GPA.