Cinap mostly covered this, but yeah: if you don't trust the system you're connecting to, cpu isn't really safe[1]. But then, neither is anything else: even the simplest service (say, telnet) can be trivially bugged with things like key loggers if the remote side's untrustworthy.
If you've not read it, you (and everyone else in CS) should read "Reflections on Trusting"[1], by Ken Thompson, describing how he bugged the login program and then made it roughly undetectable. Things like cpu's -P can help in a sense, but at some point it comes down to trusting the humans on the remote end. [1] http://cm.bell-labs.com/who/ken/trust.html