I think as long as the “IT person” from your clients business understands the pitfalls of the rules based proxy setup (here) and configures the rules correctly, it’s a viable option if the customer takes on the responsibility. A lot of network people understand these configurations better than most us devs.
I personally as a consultant wouldn’t support the setup, because it’s hard to debug proxy setups. As Netlify states in the aforementioned link, they can’t debug something they can’t see. If they are trying to stop attacks at the api level, maybe the api’s should be the only thing proxied. Not even sure how this setup would affect the edge configuration.
There really is no right answer here. Trade-offs all around.