Yeah I’m pretty sure you’d have to use private APIs to be able to fake reviews using the new controller. They’d probably ban your developer account if you tried this. Don’t think it would be worth it.
They have the ability to run views entirely out of process. I can't guarantee they're doing it here, but I don't think it would be hard for them to make it completely immune even to private API abuse.