I think I understand how it works -- and they have an option for installing a firewall on your server (htaccess file?) that will block any traffic that didn't come from them. That's optional, and I'd imagine that if you didn't use it you could be SQL injected right around this service by the attacker using your server's IP address.

But I'm going to hook up my nearlyfreespeech.net sites up and see how things go.