I realized today that since the backup server needs root access on
each of the machines, I won't be able to disallow root logins. Is
that correct? If so, isn't that a major drawback to pulling?
You can disallow root logins using password authentication, and set
PermitRootLogin without-password in /etc/ssh/sshd_config. That would
be secure against any dictionary attack launched against the root
account.
And, looking at the whole subject from a different angle: pushing
also has the large drawback that in case your laptop is
stolen/lost/whatever, and you use an ssh key for rdiff-backup to
connect to your backup server, you risk not only losing your 'real'
systems, but the backup server can also be compromised it an attacker
starts using that key.
Both types of private key abuse could possible be mitigated by using
passphrase-protected private keys. Then you're back at the 'default'
risk of keyloggers intercepting these passphrases...