Yeah I totally agree. The risk is minor but it is an attack vector, especially with uPNP enabled which is probably the typical case.
Edit. Crikey I just visited the roon forums. It seems like people on the internet are at their happiest when they are furious about something.