Spyware is easy, the ensure that the data coming back follows a certain format, and they don't execute any part of it. It's no different to uploading JPG files to GMail or Tumblr -- whatever you upload won't be executed in any way, so it's OK.
Regarding "faking the data":
For one, they generally send out the same data to more than one user. Secondly, hints of an "interesting event" will obviously be checked by a human. Of course, if you "hide" your findings, there's not much that can be done except verifying your submission with someone else.
Their website is currently down, but I found this in a copy of the SETI@HOME FAQ:
What if someone fakes a result to make it seem like they found a
signal?
The SETI@home staff will be reviewing the actual data that produced the result, and if they don't find the same results, they will discard the fake. Besides, while it's not impossible, it might be harder than you think to fake a result file.
Since some workunits are sent out more than once, SETI@home can detect errors by comparing the results. During the time of the project, the sky will be scanned several times. It's very unlikely that a cheater would get a workunit from the same location in the sky more than once.
A good read on this would be this pdf (doi), which explains a nice way systems can protect themselves from users spoofing data.
In this paper, we first propose a scheme called Quiz to combat collusion. The basic idea of Quiz is to insert indistinguishable quiz tasks
with verifiable results known to the client within a package containing
several normal tasks. The client can then accept or reject the normal
task results based on the correctness of quiz results.