nss/nsswitch.c should dlopen() the NSS modules with RTLD_DEEPBIND so that the application symbols will not interfere with symbols the NSS module is using. A practical example (pointed out by Michael Meeks) is nss_ldap + Thunderbird failing, since both use incompatible LDAP libraries with some symbols clashing; nss_ldap will use the Thunderbird LDAP library symbols in preference to these of its own library, resulting in a crash. Deepbinding should solve this problem, and I can think of no bad side-effects (in sane situations).
i tried merging this into the Gentoo glibc package, but things went badly for mozilla users. feel like having a look ? http://bugs.gentoo.org/252302
By now, plenty of bad side-effects popped up mainly due to the fact that custom malloc() overrides do not work - the NSS module will ignore them, but will try to free() pointers allocated by glibc using the overriden malloc(). It's probably best to require NSS modules not to pollute namespace.
Note that by now, nss_ldap with its in-process LDAP processing is considered a design mistake. The successor, nss_ldapd, performs all LDAP handling in a dedicated daemon, so that the NSS module itself does not depend on any LDAP libraries. This avoids symbol binding issues due to conflicting LDAP libraries. (It also allows the client to use some secret not known to all local users to authenticate to the LDAP server.)