This questions concerns the RequestFactory of GWT.
If I would have a User object in my server domain that has a method getPassword(). And I create a UserProxy (extends EntityProxy) that doesn't have this getPassword() method. Does this create a security whole? Because the User object at the server domain has a password as it's field, and if a malicious user would change some javascript and ask the password in a clever way, would the malicious user retrieve the password? It seems to me that there are no checks to prevent the getPassword() method being called from the client side.
The RequestFactoryServlet (actually the SimpleRequestProcessor it uses, but that's hardly more than an implementation detail) uses your interfaces to determine which properties are accessible (either get or set) and which service methods are callable, so there really is no risk that someone could do something that you didn't expose through proxy or context interfaces.