Hi jeffgreenrc,
we use the webapi in portals also for anonymous access. The problem you are adressing is not a problem of the web api. There could also be misuse on forms which are anonymously accessible.
The create/update/delete has to be set by the settings as described in the documentation ( https://docs.microsoft.com/en-us/powerapps/maker/portals/web-api-overview , make sure to read https://docs.microsoft.com/en-us/powerapps/maker/portals/web-api-http-requests-handle-errors , this will prevent a lot of headaches 🙂 ) .
Additionally you have to set the proper accessrights in entitypermissions and assign those entitypermissions to a webrole which is associated with anonymous access.
There is currently no read in the api as far as i know. Usually we write a liquid which issues a fetchxml and we render the response as json ( akin to https://docs.microsoft.com/en-us/powerapps/maker/portals/liquid/render-rss-custom-page-template but json instead of xml) . This could then either be put to the form as static json or it could be used as a kind of backendservice which is callable as if it was a page.
In my opinion the webapi is a little bit more secure than the formsubmission as the fomsubmissions submits every field which was customized on the form. As this customzation is in large companies done by diffrent people than those, who run the portal, there might be accidentially fields on forms which should not be public accessible.
If you use the webapi, you should only enable those fields, which you want to make accessible in that service.
I do not know of any securityissiues like injections or whatever to 'hijack' that service. It' the other way round: if you do not enabel the right things it will not work. And we have to configure a lot...
Hope this helps a little bit and points you to the right direction.
Have fun,
Christian
