For the duration that the mount command runs, the ps -Af command can see the whole command, including the username=... and password=.... Needless to say, this is very bad because mrgray can now freely log in to the backup NAS. Once mrgray logs in to the backup NAS, all the backup files of all the other servers, including the sensitive ones, are there!
You can argue that this duration of time is very short. That’s probably right. It is still a risk that is always there.
Assuming that the ps -Af scan cannot reveal anything over a long period of time due to the short execution duration of the mount command, the same script can also locate the current mount points. If the script compares the mount points over time, it can easily detect the additional mount point. From the share name, mrgray can easily deduce that this mount point may be of some interest. In addition, the same script can also determine when the mount point is added, and when it is unmounted.
This gives mrgray the critical information of what to scan, and when to scan on the file system.