One of the major issues with XML-RPC functionality in WP is that it's enabled by default and opens up a wide target for brute force attacks[1]. I'm assuming this will not change with their REST API. Let's face it, how many WP sites out there really need POST/PUT/DELETE endpoints to be enabled for their family blog?

[1] https://blog.sucuri.net/2015/10/brute-force-amplification-at...