If malicious sites utilize our API, this allows the user to easily get their hands on array data that the server passes back to the client, such as specs, stacks, or volumes. Since "stacks" can contain password information regarding services, this seems like a security hole. (although, since the browser's Developer console can show you this, perhaps it is a moot point)
To counter this your server can prefix all JSON requests with following string
Angular will automatically strip the prefix before processing it as JSON.
Real world example (gmail): http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html