[ad_hominem]

ONTs typically terminate to Ethernet at the customer premises so it's effectively the exact same thing as a cable modem. So not any more secure than having cable and using the cable company's provided modem.

If you tapped someone's fiber line, all the traffic between the ISP headend and customer premises (OLT and ONT if we're talking fiber) will be encrypted. In fact on a PON network using TDM it has to be, because if you stared down your own fiber you would be seeing all your neighbors' traffic as you're all time-sharing the same laser diode at the ISP headend (because it's a passive network, you will be seeing your neighbor's traffic when the diode is transmitting outside of your designated time cycle).

Anyway my only point was to inform OP that contrary to their belief, they effectively are in the situation of having an ISP-owned modem.

[solotronics]

When I was setting this up for an ISP a few years ago the TDM was just a SFP that has its own MAC address inside. Its doing the TDM part inside the SPF itself. When we configured a new customer it was just adding the MAC to the config of an interface on an alcatel router at the hub side. You might not be able to transmit without interference but I bet you could spoof the MAC of a neighbor on the same fiber and listen in.

[ad_hominem]

Wow that is very interesting! That would be a worthwhile experiment to test out for sure.