There's this page which says:
NOTE: Elasticsearch installations are not designed to be publicly accessible over the Internet. IP Filtering and the other capabilities of the Elasticsearch security features do not change this condition.
There's also this page which says:
Do not expose Elasticsearch to the Internet, instead have an application make requests on behalf of the Internet. Do not entertain the thought of having an application "sanitize" requests to Elasticsearch. Understand that it is possible for a sufficiently determined malicious user to write searches that overwhelm the Elasticsearch cluster and bring it down.
I do think it's fair to say that this important information is rather well hidden in these docs. Would you open a Github issue to suggest making it more prominent?