And when the stuff was originally written, this was probably not considered to be a "security boundary" in the sense that the client will have higher privileges than the server. As the email notes, this happens rather rarely.
Actually it was more common back then. Remember, "client" and "server" are backwards in the context of X. A "thin client" actually runs an X Server, and you remotely launch an xterm on the central server as an "x client", exported to your display.
However, as the email states, this only gets you the same access your user already had on the remote system, unless it's a setuid program. The canonical example and only one I can think of off the top of my head is xscreensaver or xlock. There are now GUI versions of su/sudo that would also be targets, but I don't think variants of these were used back when this topology was common.
