If you search the web for info on publicly-accessible Elasticsearch instances, you'll find a lot of articles about ransomware attacks in which databases were hijacked. You'll find this DZone article from 2017 that says
Whatever you do, never expose your cluster nodes to the web . This sounds obvious, but evidently this isn't done by all. Your cluster should never-ever be exposed to the public web .
It goes on to recommend writing a small proxy service with limited functionality. The client talks to the proxy, the proxy talks to Elasticsearch over a private interface. (This article, from a company trying to sell a product, goes into some of the pitfalls of this approach.)
However, this advice seems to predate the general availability of the X-Pack Security plugin. The documentation talks about authenticating users, roles, etc. but doesn't directly answer the question:
Provided you configure it properly (i.e., unauthenticated users cannot read or write data they shouldn't be able to), is it safe to expose an Elasticsearch server to the Internet without a proxy?
For example, if X-Pack has had a history of security vulnerabilities, or if it is possible to tie up compute resources by sending highly complex queries, it would not be advisable to expose its port directly to clients.