How to Secure NFS on untrusted clients environment
NFS is a security hole with file access -- there is nothing you can really do to mitigate that. The best thing you can do is only allow exports to trusted clients as you described, and optionally use firewall rules to prevent other people from sneaking through and talking to your NFS server (even though they theoretically wouldn't be able to do anything you may as well make sure they're locked out).
If you use NFSv4 exclusively you can Kerberize your NFS environment, which offers some better security options in terms of authenticating clients, but the work of maintaining the Kerberos environment is probably equal to (or greater than) maintaining netgroup export lists -- If you're using Kerberos anyway though it may be a better solution for you.