gRPC & Protobuf Security

gRPC feels like a black box — binary protobuf over HTTP/2 — so people assume it is hard to attack. It is not. The wire format is tag-value, not encryption; server reflection hands over the whole API; transport auth gets mistaken for authorization; and the parser can be blown up by a tiny message. How to enumerate, decode, tamper and DoS a gRPC service, and how to actually lock one down.