5.1 Security Considerations for Implementers
This protocol provides query functionality into databases that might have other access control mechanisms. This protocol should obey those mechanisms; otherwise, it might become a source of information disclosure.
The RPC server has to successfully authenticate the client if user names are considered confidential information.
The RPC client has to authenticate the server if the results are used to make policy decisions.