That's certainly true of servers, but it's way less important for the limited set of services a router typically provides. Aside from the services that really need root because they're changing system settings, you've pretty much got just dnsmasq and hostapd out of the box. Isolating them is nice if you've got the storage space for that extra complexity, but it's not like OpenWRT is a massive attack surface with gaping holes.
