I think I know what's going on here and why the Arch wiki is confusing.
Ancient versions of NFS from back in the 1990s (version 3 and previous) could simply export arbitrary directories which were located anywhere in the filesystem. This changed with NFSv4, which requires all exported directories to be subdirectories of a top-level "root" export which is defined by the system administrator and carries the export option fsid=0
to distinguish it as the root. There is no predefined root; the admin makes an explicit choice to define the root.
Thus if you define /srv/nfs
as the root, all other NFSv4 exports must be subdirectories of that directory.
However, it is likely that the directory you want to export is not actually under /srv/nfs
. For example you may want to export /var/lib/docker/volumes
. To do this, instead of moving the files around which might break things that depend on them being in their original location, you can create a bind mount so that the files remain in their original place in the filesystem but are also visible under the bind-mounted path.
mkdir /srv/nfs/volumes
mount --bind /var/lib/docker/volumes /srv/nfs/volumes
Now the files are available in both places in the filesystem tree, and because of that, NFSv4 can export them.
The only bit I am still confused about is why the Arch wiki calls it a "good security practice" when it is just how NFSv4 works.