Update - we have patched this issue in our Public BaaS.

The API call is now blockable via API Blocking - but it's also disabled by default now (via the core API itself). There's a new compatibility flag (that is by default enabled for all existing apps) that preserves the old functionality.

Paul.