Well, I suppose that any such thing is “as (in)secure as you can make it,” but what you seem to be describing here is fairly similar to what RPC::Any::Server does.   There are many, many ways to do it, and really I think that the only thing which you must be very-sure of is that only intended methods can ultimately be called.   Attributes are certainly one valid way of making such a designation.

I suppose it partly depends on just how many (acceptable) request-types there might be, and how easy it needs to be to add new ones.   Logic that is based on can() and agreed-upon attributes does have the potential advantage that you only need to add code in one place to add new “subroutines” to the system.