How to not install recommended packages? (there wasn't a choice, and anyway not installing recommended packages often implies - rightly or wrongly - security risks).
Regarding the apt "recommended" concept, it's a generic concept of optional functionality; it's orthogonal to security. If one wants to make a generic association with security, less recommended packages -> less functionality -> smaller attack surface.
If you want to disable the recommended packages installation by default, you can:
You may also want to disable the suggested packages: