I'm also curious about this; I don't know how secure the traditional native clients are (FreeRDP, Vinagre, Remmina, etc.).
On the other hand, there are browser-based clients such as Apache Guacamole and noVNC, which are protected by the browser's security sandbox. They require a server component, but that can be run in a sandbox or on the untrusted server. There are some limitations to running in a browser (e.g. some keyboard shortcuts might not be forwarded).
On the other hand, there are browser-based clients such as Apache Guacamole and noVNC, which are protected by the browser's security sandbox. They require a server component, but that can be run in a sandbox or on the untrusted server. There are some limitations to running in a browser (e.g. some keyboard shortcuts might not be forwarded).