Vulnerabilities

> Could attacker X on remoteserver alter the rsync binary in such a way
> so it can traverse and change or read arbitrary files on localserver? 
> Does running above command execute remote code or give remoteserver 
> any kind of system access to localserver  (does the ssh tunnel work both ways???)
> or is it "pumping" data through a dumb pipe just like for example rsync
> over a samba share would and leaving all control to local?

You are wise to ask this question!

The remote server can change arbitrary files on the local server by
sending a symlink and then using paths that go through the symlink.  The
current development rsync has a --munge-links option to prevent that.
Unfortunately, that option is not available in the 3.0.x branch at this
time.