Heheh... no best practices as of yet, but that is the appeal of NodeBB. I (and I think the other admins and reps share our vision on this) really wanted NodeBB to be a "pick and choose" system to allow you to build a system you want to build, instead of what some other entity has decided.
I liken it to buying a computer. You could save time (and maybe money) by taking something off-the-shelf that a big box manufacturer as put together, or you could build the computer you want by picking the parts and assembling them together yourself.
As for best practices -- Node is really all about division of responsibility. Don't do things unless you absolutely have to do them, that sort of thing.
This is why:
Search is handled by Solr plugin
Avatars are handled by Gravatar
Emails are handled by Mandrill
Image uploads are handled by Imgur
@v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter
We maintain an email specifically for handling these issues: firstname.lastname@example.org. If you've located an exploit vector, email use privately there, and we'll get it fixed up!