If you use the nosuid and privileged
port features in the portmapper/nfs software you avoid many of the
presently known bugs in nfs and can almost feel secure about that
at least. But still, after all that: When an intruder has access to
your network, s/he can make strange commands appear in your
.forward
or read your mail when /home
or
/var/mail
is NFS exported. For the same reason,
you should never access your PGP private key over nfs. Or at least
you should know the risk involved. And now you know a bit of it.
NFS and the portmapper makes up a complex subsystem and therefore it's not totally unlikely that new bugs will be discovered, either in the basic design or the implementation we use. There might even be holes known now, which someone is abusing. But that's life. To keep abreast of things like this you should at least read the mailing lists freebsd-security@FreeBSD.org at a absolute minimum.