Possible security problems exposing Radicale to the internet?

[OIRNOIR]

I'm installing Radicale and was confused by this language in the installation guide: In the reverse proxy section, it says that "Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user." Does this mean that someone without my credentials will be able to access my Radicale remotely? Is it only if the X-Remote-User header is passed? Am I safe if requests are not allowed except through nginx?