I missed your comment, apologies.
We already have a clear security story for web UI and web-services. This JIRA is not adding any more end-points than what are already present.
Similarly, we already expose the same information via RPCs, web UI and web-services. So this JIRA isn't adding any more maintenance burden than is already present.
Overall, I've seen a lot of use-cases where, at-least on the client side APIs, users want to use web-services directly instead of writing code. That's the goal of this JIRA. As I already pointed out, the remaining protocols from this JIRA are in the grey area of whether to do or not at all and which I am not focusing on at all right-away.