Javascript remoting for Apex

As for CSRF, @ca_patterson has already answered that on Javascript Remoting CSRF.

As for users interacting directly with the methods, it certainly is possible, if someone has the correct knowledge. You could unset the variables that enable this functionality, though. I'm not sure how much protection that offers, but it might look something like:

<apex:page controller="MyRemotingClass">
    <script>
    (function (D, w) {
        "use strict";
        D.addEventListener('DOMContentLoaded', function () {
            w.Visualforce = {};
            w.MyRemotingClass = {};
        });
    }(document, window));
    </script>
</apex:page>

Cross-Scripting Protection

There's a CSRF token that has to be presented in the payload:

{ "action":"myns.remote",
  "method":"method",
  "data":null,
  "type":"rpc",
  "tid":2,
  "ctx": { "csrf": "VmpFPSxNakF4Tmkwd09DMHdOMVF4TnpveE16b3dPUzQ1TWpGYSxwM25uNjhvbnluZ3BINnVRSDdzandILFpXVTFaVGcz",
           "vid":"06650000000MwYp",
           "ns":"myns",
           "ver":30
   }
}

It's basically impossible to access the CSRF from outside Salesforce. There's also Content-Security-Policy in place that prevents casual access to the resources by compliant browsers. A valid session Id must also be presented in the headers.

User Protection

There's no protection from users opening the Console and typing in JavaScript commands. In fact, I often use this for testing purposes. Of course, normal policies apply; if the user isn't allowed to access the page or the Apex Class, they'll be denied access.