SBG 8 LDAP replicates content to the scanners, and SBG 9 caches only selected content (e-mail addresses, AD groups used in polices). So SBG 8 has more data at risk, while SBG 9 has less, but it could be your entire address book.
You should also have an upstream router than only allows inbound connections for the protocols you support @ the firewall. e.g. SSL should be disabled inbound. This will prevent password attacks against the SBG command line interface.
Router with mimimum ACLs -> SBG -> firewall -> inside mail server.
Also don't forget the high number ports sbg uses in the 410xx range. 41015-17 use SMTP protocol stack. (JDavis - I know, they are "protected" using the Agent-Config command.