[lxgr]

Yes, but that's a deliberate security–convenience trade off then.

One solution is to use proxy servers or per-app VPNs (without local network access) instead of a system-wide VPN, and effectively partition applications into trusted and untrusted ones.

[mindslight]

I've done that partitioning with virtual machines. I don't see how it's a "tradeoff". Yes, every additional service you expose can have its own security flaws, but you have to get data in/out of a VPN'd VM somehow. Even if I allocated more local storage to the VM and only ssh'd in to send/receive files, the ssh client could have a hole in it. nfsd, samba, sshd, and ssh are designed to do singular jobs. The issue in this case is the exposing of a consumer router that was never designed for security from the local network.