[kiney]

easist way nowadays to get secure NFS is to just set up a wireguard tunnel

[yrro]

No because you still have to trust the client.

With Kerberos a hacked client where user 1 has authenticated can't impersonate user 2 unless that user has also authenticated on the client.

With sec=sys the client is simply trusted without any per-user authentication.

[kiney]

in most cases you can just use more fine-grained exports. e.g. export /home/user1 to 10.0.0.1 and /home/user2 to 10.0.0.2 instead of /home to 10.0.0.0/24 etc.