Let's break down the questions:
Can root remotely capture the X server content of these machines somehow?
The short answer is yes, but not quite that easy. Root on one machine will not be root on the
other machine without permission. In order to access a remote X session you need to have
the Xserver port open, and if a firewall is running allowing access as well.
Or maybe he can run a script that will save X data to a file and then recreate what windows were opened and what was on the monitor?
Again you can do this, however it will take a little work to accomplish that. First you would need to background the xserver under root and then you can log everything that happened. Of course the logs
would become large quickly.
Is that easy?
The concept is easy, implementing it is not. First remote exploiting would create a problem if the users
follow easy and safe web browsing principles. If there is physical access then all bets are off. Anyone can own that machine.
If so is there any way to prevent X server spying
To prevent this attack would be to have a firewall in place, second watch your
logs (mutt point for a good attacker since it is the first place to fix) and also
monitor those that have accessed your machine ( again mutt for a good attack
since wtmp is the second thing to fix) also you can monitor your files and see if
any file is strange bad timestamps and such.
HTH
Bigpaws