Thanks, this is really embedded in the documentation and is not at all even hinted at in the above documentation.
This seems like a huge DoS security hole.
I encourage you to write a blog post about this. It seems especially relevant.