just like any web protocol, signal/r is an open api to your application. Any diligent user could reverse engineer the api, via client code, network sniffer, etc.
Your application code should verify that the user calling the api, has permission to perform the actions they are requesting, and have access to read/write any data they send. The is, like any website, you should assume a program other than yours is calling the api. Don't count on client validation, and don't send any data to the client the user is not allowed to view. Don't let the user change any data they are not allowed to change.
Also be sure to use a secure transport (ssl).