Moving static files into the filesystem without permission checks is the best bet.
OR If the URLs match a consistent pattern, or you can write a URL handler for those type of content repository resources, you could proxy them with something like NGINX.
This might be the simplest solution. NOTE that the content repository does include a feature to publish content repository items to the filesystem specifically to remove the datbase overhead. If you published them to a /resources directory you'd get the additional benefit of no permission checks.
On top of the filesystem publish, proxying to remove all Tcl overhead, all /resources URL should give the maximum benefit.