They could be flagged because they are a shared host, or like you said a TOR exit node, in which case the anonymous traffic could be doing bad things. You would have to look at the IPDB logs yourself and make that determination.
As elljay said, there is a monitor server which is constantly querying time to ensure that the server is delivering accurate time, and if it is too far off, or doesn’t respond, then it gets pulled from rotation very quickly.
As for “exploits”… That’s a loaded question since it is so very vague, and since there are numerous NTP packages in use, all of which have very different code bases…
The whole point of having multiple NTP servers listed is so that no one source can tell you what time it is.
The general rule of thumb is for 2n+1 servers to protect against “n” falsetickers. Five upstreams will protect you against two falsetickers, seven will protect you against three falsetickers, etc…
With most people’s default configuration of four servers, you are really only protected against losing one server (either with bad time or it stops responding). As soon as you lose a second server, then all bets are off. With many distro’s out there still running older versions of NTPD that don’t have the ‘pool’ directive implemented, they can’t refresh a server if it goes stale.
Bandwidth is cheap, and NTP packets are extremely small and sent at long intervals, so the difference in bandwidth between having 4 servers listed, and having 7 servers is more of less non-existent. Yet the redundancy you gain is priceless…
I always try to use a mix of pool servers, ISP NTP servers, and other public servers (Apple & Cloudflare to name a couple.) You never want to trust one source if time is of critical importance.