Many X terminals download the X server image from another host, rather than having the server image stored locally in non-volatile ROM. Any host that masquerades as the TFTP host can download any code to the X terminal.
Also, the TFTP protocol does not do any authentication of requests, so that a malicious client can download files that it should not have access to, or can cause denial-of-service by flooding the host with TFTP requests.