requiring reserved NFS client ports by default

It's common practice for NFS clients to bind to reserved ports (i.e., <=
1023) since some NFS servers require this as a weak security measure
against attackers with network access to a server but without local
privileges.  FreeBSD's NFS server does not require clients to use
privileged ports by default, but this can be changed by setting
nfs_reserved_port_only=YES in rc.conf.

I would like to propose flipping the default for nfs_reserved_port_only.
This raises the bar a bit for a malicious agent able to execute
unprivileged code on a machine with network access to an unauthenticated
NFS server running FreeBSD.  This behaviour would match the defaults on
Linux (the per-export "secure" attribute) and OpenBSD.

The downside is increased pressure on the limited range of reserved port
numbers.  However, the server will complain on the console if a request
arrives on an unreserved port, so diagnosis should be easy, and most
clients sport an option to not use a reserved port number (noresvport on
FreeBSD), so one can configure client mounts to use them only where
needed.  And, the option is easy to disable on the server should that be
necessary.  My aim here is to provide a safer out-of-the-box behaviour.

Any comments, objections, feedback?