Although is Rest Proxy available only for logged in user, it allows remote sites attacks.
Attacker can use it for hiding origin IP and attack web pages directly. It can be also reused for CSRF POST attacks on remote sites.
I think the Rest Proxy could require some URL digest (accessible for portal/portlets using java API (API should not be accessible directly from browser)) that prevents unauthorized reuse.
LEP-5353 for rest proxy.