The main thing to remember about jserver-c ("chopchop") is that it currently has NO authentication. Any ol' user with a jabber client can essentially take over a mal-configured jserver-c server, and potentially compromise any systems using OpenSRF (IE: Evergreen).
There is good news, however. There is absolutely no reason for jserver-c to be bound to the network card in a single-server scenario. jserver-c should be bound to localhost AND ONLY LOCALHOST.
More good news: a proper authentication mechanism for chopchop will be implemented shortly.