Well, because the work itself is encrypted before the FPGA sees it, you can obviously shift in any data to the FPGA.  And you're pretty clever.  I personally can think of at least a couple of ways to sneak bits out through the encrypted nonces almost every time, at the expense of minor amounts of processing on the server side. We all know that the average nonce found is below the half-way point (mainly due to discarded work), and that should give a hint.

Hell, I'll give you one of my possible ways, just so you can't say it can't be done. Each time the FPGA finds a nonce, if there are two or more leading 0's, the first is set to 1 indicating sneaky work. The remaining are set to the bits to be sneaked out.  The server performs the needed hashes to determine which bits of the nonce are the correct bits to be sent back to the user and keeps the sneaky bits.  At most a few dozen hashes.  Even at the rate a full nonce could be sneaked out this way, its still quick enough for a share or so per minute of normal mining, OR it could be used for a speed boost for your own setup finding a valid nonce through other means by eliminating work exponentially, then the next encrypted work abort that sneak, etc etc.

I estimate that this specific method could be used to get at most about 5-10MH per LX150 if done fully.  Far more if done partially (ie: reducing the nonce search window by a factor of 2^16 or so for your own hardware... which could make a normal CPU able to mine at profitable speeds with enough LX150s sneaking out partial nonces.) In addition to the commission work planned, this could be almost profitable.

There are better methods, and I didn't say a lot of data could be sneaked out, but, you can't say it can't be done.  And unless the source is available, you can't prove that it isn't being done.

-wk