Honestly curious: how would you exploit it? If the pi isn't exposed to the www by your router, what can you do?

Typically a pi-hole is used as a DNS resolver. In order to work it must connect to the internet.

Scenario for attack: Laptop looks up a website, DNS request is made to pi-hole, pi-hole sends request to internet. Response packet received back is actually from an attacker, that uses a known vulnerability in the handling of the packet to take over the machine.

Attacker can now see what DNS requests are being made, and by returning custom responses, it can MITM any HTTP request you make from your laptop. Let's hope everything is encripted via TLS, and hope that some piece of software that just asked for admin permission didn't just install a new TLS trust root.

That is definitely a bad situation. Thanks for the reply. Unnerving to think there'd be even a possibility of getting root just from processing a DNS response!

The PiHole interacts with DNS servers. Theoretically - imagine a crafted TXT Record which is somehow improperly handled by dnsmasq.

Essentially - it's reading user-defined data - which is probably enough to be really bad, incase of a malicious exploit in the wild.

There are lots of ways. A basic vector is CSRF (like eg https://tools.cisco.com/security/center/content/CiscoSecurit...), or the server side variant (SSRF). Then there's the DNS vector already mentioned. There are others too. Generally it's a bad idea to rely on home network boundary protections.