That would be a fairly trivial query for IoTaWatt, even if you requested multiple metrics (Watts, Wh, Amps, etc.), although the response table would be pretty big.
Assuming that your router has no vulnerabilities when port forwarding is enabled, I don’t believe the IoTaWatt could be used to create a wormhole into your LAN. I say that because the firmware is pretty straightforward and uses a pretty secure signature verification to update. That said, there are lower level layers in the IP stack that I cannot vouch for, notwithstanding they are open source as well (lwip) and well used.
If the question whether the IoTaWatt itself can be secured when there is an open port to the internet, the answer is sort-of and indirectly.
IoTaWatt can’t do HTTPS. All traffic (except a special case to Emoncms) is plaintext POST payloads. So anyone positioned in the path could see the data passing through.
You can use a reverse proxy to add HTTPS to the portion of the communication exposed to the internet port. I use that system with a Rpi running Nginx exposing a HTTPS port to the internet and relaying to the IoTaWatt(s). I use openSSL and Lets Encrypt certs. This is mainstream protection against man-in-the-middle attacks and uses secure encryption.
There is still a need to authorize the HTTPS session, and the IoTaWatt uses Digest authentication when a password is specified in setup. Digest authentication does not expose the password to onlookers, and in fact, the actual password is not stored in the IoTaWatt.
So you can restrict access using the already available Digest Authentication, and you can get encryption and domain authentication using a reverse proxy.