Yes, it is a proxy request that Shopify routes to an endpoint hosted with our app. With our implementation a customer ID must be provided and the namespace and key names of existing metafields you have configured within our app must also be known to successfully write the values. This is, of course, not a very high level of security the exposure is very low here considering: a) metafields are not by themselves a security risk - they are just very benign storage buckets of string/integer values that trigger no automatic actions or changes, b) our app (like most proxy apps should) verifies each request it receives thru the proxy is a valid Shopify proxy request (see here) and will not accept any that doesn't pass the signature authentication check, c) no customer data other than preconfigured metafields can be updated using this method.
Hope that's useful.
