How big of a security risk is this?

Consider if you're in a room full of experienced ssb programmers, all on the same wifi.

Someone could write a script that attacks your ssb server, simply by running an ssb query over muxrpc directed at your public key -- this query will return your private messages.

So yes, this is a high priority to fix this, for me. But, I'm only on wifi with @gb, and I trust her not to make this request to my local sbot.