I mean, actually using Goatse here would probably be a bad idea, but what I really meant by my comment is "maybe you ought to treat this like any other hotlinking abuse situation, for which there are many commonly employed mitigations."
Serving shock images or other rude content is just the particular mitigation that makes me giggle.
I think the “professional” way to handle this is to implement API keys and rate limit requests without API keys heavily. (Possibly putting a link to your pricing page in the “too many requests” header.)
