It also means that any bit of unprivileged clientside malware an attacker can get onto your machine might be able to use the bug as a pivot, first to your whole network, then potentially back to a more privileged place on your machine.

True, however we are talking about a $30 consumer router. Most people using something like that have alot of other security flaws to worry about (but usually dont) and arent that interesting as an attack target to hackers anyway.

Anyone with a "whole network" who remotely knows what hes doing wont be using a router like that one.

Probably a enterprise grade router if its a bigger/corporate network or something halfway decent that supports OpenWRT

Are you sure you haven't visited webpages that tell your browser to send requests to your local router lately?

This requires UDP packets, which a browser cant send.

Right. It looks a lot more like a badly-implemented feature for factory validation than a backdoor intended as an easily exploitable point of attack.

But a government is very likely to have access into a local network.