So, if you have a full client then you see the whole blockchain and can harvest locally.
If you have a lightweight client then you don't see the whole blockchain and can harvest only by signing data received from remote server(s).
And now imagine that network is sybil-attacked and the attacker can trick you into harvesting on a fork...
easy fix, allow ncc to query multiple nis to ensure that the server your are harvesting on is not on a fork. eigentrust could also play a part but im not sure exactly how it works. from my minimal understanding of it, possible eigentrust could effectively blacklist the node with bad data and stop you from harvesting on it. idk, just thinking that could be a possibility to prevent that.
I took into account that a lightweight client talks to several nodes. If a sybil attack is conducted then you will be connecting to rogue nodes in most cases. Let's assume that you managed to find a honest node, what will you do when receive contradicting info? You can't rely on EigenTrust because its data can be faked (sybil nodes will supply evidence of their legitimacy) and you will get contradicting info again.
To date
reliable lightweight clients are possible only in PoW cryptocurrencies. If NEM team found a solution for a non-PoW case then it's a breakthrough. But I'm skeptical that they really did.