Just to make sure of the security implications, if I understand correctly the potential risk is only related to unix authentication, right?

If so I would especially want to figure out Sec.protbind config for EOS to prevent remote clients from using unix authn, but I am not sure how to proceed on that, the only remaining possibility I can think of is an xrootd-level bug (or possibly misleading/misinterpreted documentation).