We had a similar exploitation of new features last month with Lightning.Pub, drainage attacks are constantly being attempted on any public facing Lightning API. This has set us back several months (not to mention runway from what was looted) focusing on additional hardening.

Such attacks usually cost something to attempt (deposit first then over-withdraw), and so this is yet another reason you should to self-host because obscurity can be a last line of defense.

The higher profile a service is, the more likely it is where new vulns will be found.