If you are really afraid of this, you can either :

-use a P2P service for the original purchase of your BTC, without KYC, so you don't have to worry about all that.
-or use a coin mixer before sending it to your friend, but you risk to flag the coins doing that

This is another excellent reason not to use a CEX to buy your coins. There's no point in using them, as we have Bisq, Peachbitcoin and many others at our disposal (kycnot.me is your friend).

As for the substance of your question, it's complex, the real question is more: why would an agency be interested in your friend activities ? He would need to truly exagerate to get them to look for you following a transaction he might have made with the coins you sent to him...