Are there any security implications for exposing this thumbprint? Will it compromise my signing key?
https://developers.google.com/web/updates/2019/02/using-twa#remove_the_url_bar
There are no security implications from adding the SHA-256 Fingerprint the assetstatements.json file.
In fact the Fingerprint is already available as part of any signed APK, and it can be viewed with the following command:
keytool -printcert -jarfile app-debug.apk
It also possible for one Android app to view the Fingerprint from another app, using an approach similar to the described in this question.