Thanks
Well the main reason I wanted to do an API is due to database relationships. There's quite a few complex relationships involved and having to work these out with SQL can cause issues... For example the N+1 issue could easily come into play. This obviously is easily avoided using an API.
Security wise, you don't pass any database credentials into the plugin at all, just a easily changeable API key and URL. To me, that's more secure.
As for slowing down querying, I don't see why? If anything, the queries will be more optimised, only returning the exact data needed.