Kerberos keytab NFS

Here's one for all the family
OK. So I have a kerberized NFS4 server and it has:
in its keytab.
Seems reasonable no? Like, nfs is a service so it'll need a service principal, otherwise nobody will be able to get tickets to access it.

I have a client too. The doco would have you believe that you need a nfs principal there too. So I add the principal:
to the existing host/client.domain and client$.client.domain keys which are already in the keytab. Thinks. Seems reasonable too. That's what Google articles tell you to do. So it must be right. But hang on, some other Google articles tell you that you don't need the nfs principal on the client. Or rather they don't mention nfs principals for the client at all.

OK. So then,  a quick:
mount -t nfs4 server:/folder /clientfolder -o sec=krb5
Fine. Authenticated users can access their files, root is squashed and all is well.

Title: How to find out who is right about this nfs keytab thing
I remove the nfs/client.domain entries from the client keytab and remount the share. Predictions anyone? Yeah, that's what I thought too. But no. You'd be wrong. Root is still squashed, rpc.sssd and rpc.idmapd make all the right noises, but I am confused. We can still access the share. Agghh! Why? Help! Why o why. Just to prove it:
Is it just me, or is this working?