Just to keep in mind .. there is no Admin Macaroon on the POS, just a Invoice & Read Macaroon. So if the device gets stolen or hacked, the funds on the remote LND are safe. But in such scenario the Read Macarroon would still allow the attacker to read much if the information from the LND node, that is not needed to do the POS job. The newer LND allows for much more specialized Macaroons .. so for the future it would make sense to look in what way the Read Macaroon can be more restrictive.

See links:
lightningnetwork/lnd#1160
https://github.com/lightningnetwork/lnd/blob/13b56d5849a9495ed11d6928665115e88cd1d9b0/rpcserver.go#L209

Good idea. Will look into it, thanks