HTTP tracking API and spam logs

I see that the token_auth is only required for specific parameters. Does this mean that anyone can spam my Matomo instance if he wants to with rubbish logs?