In this case, I cordially suggest that the concern is not “the use of dispatch-tables per se,” but the authentication that must take place to confirm that a particular dispatch-table entry may be used.

When I construct dispatch tables, I usually employ a hashref where each element points to another hashref with several entries in it.   One of these of course is a reference to the sub that must be called to do the work.   Others may be to subs that serve as parameter-validators and security checkers ... you can get as fancy as you like, even setting up arrays of these subroutine references.

And then, when the target routine actually does get control, it, too, I believe, has the same duty to check once again that it is being called under appropriate conditions.   (Those checks can be simpler, since they basically serve to double-check that the dispatcher is doing its job.)   Only requests that have been scrutinized several times, by code that exists in several different places, actually get carried out.