Im not sure what disabling NAT Reflection really entails if it is a horrible security risk or just makes port forwarding/nat more work. ??
It's not a security risk, it just puts more load on the pfSense box. The domain name you use to access your virtual sites internally looks up to a public IP. Thus the request goes out to the pfSense box. Enabling NAT reflection allows the pfSense box to redirect the request back into the internal network to the correct host.
If you had split DNS when inside your network the domain name would look up to the internal IP of the server. This would avoid the unnecessary loop to the pfSense box as the request would go directly to the server. When outside your network the domain name would look up to your public IP.