> How deranged would it be to have every nfs client establish a wireguard tunnel and only have nfs traffic go through the tunnel?

See perhaps NFS over TLS:

* https://datatracker.ietf.org/doc/html/rfc9289

* https://access.redhat.com/solutions/7079884

* https://www.phoronix.com/news/Linux-6.4-NFSD-RPC-With-TLS