Heureka!
We finally have our code signing certificate and it indeed nolonger triggers a deep screening and nolonger crashes the inno setup. Everything is now like it should be: 2 normal file scans, one from the outer installer and one from the inner installer. No errors, just smooth and fast execution. We definitely should have done that earlier!
Just wanted to update that thread to confirm that a valid signature is given trust here and avoids issues with the deep screening sandbox.