As far as I know, the BOINC client just pulls down new data for processing when each batch of work is done. There’s no pushing and no open tunnel or port. The software risk would be malicious code in a particular project (e.g. if it said it was folding proteins but actually mined bitcoins). I hope there’s some vetting of project code.
The other risk is hardware (especially CPU and RAM) running its lifetime down more quickly because of the continual heavier usage.