Since the vulnerability was discovered a couple of months ago, in my book this has become bad practice now (I uninstalled it on my only system that had it). I think they patched it, but I wouldn’t use it anymore.
If nobody was aware of it, that’s how Wendell did his RPi fleet (mostly to get rid of microsd failures, he doesn’t tackle updates):
I’ll be working on an updated guide, probably using kea on linux and freebsd (tftp, http and nfs) and I’ll probably set up read-only shared /usr and read-write shared /home, so all your systems will share the same update level (update once on the main system, reboot everything, boom everything runs the same version). Unfortunately idk how to tackle shared local credentials yet without an AAA server (you might have the /home mounted, but if the user is missing from /etc/passwd and /etc/shadow and their *- files, you won’t be able to log in with the same credentials).
You can follow the Gentoo nfsroot wiki for more details (too lazy to grab it rn).