Apparently NFSD already allows any GSS-protected connection from clients to come from an ephemeral port. This conserves the very limited privileged port number range on the clients. For similar reasons, TLS-protected connections are also secure without the need for the use of a privileged source port, so NFSD should also allow such connections from ephemeral ports.
The TCP logic that checks when a secure port is in use could be made to skip that check if one of the transport-layer security flags is set in the svc_rqst.
Apparently NFSD already allows any GSS-protected connection from clients to come from an ephemeral port. This conserves the very limited privileged port number range on the clients. For similar reasons, TLS-protected connections are also secure without the need for the use of a privileged source port, so NFSD should also allow such connections from ephemeral ports.