There is an unofficial webhook binding which might be an easier overall approach to running a separate proxy service.
If you have BasicUI installed, you can also use the way it works to send commands to Items through a GET request, but I wouldn’t rely on that as it unofficial, not supported, and could go away without warning.
I think all your same advantages and disadvantages apply, only perhaps it not quite as undermining of the REST API security since the API security token or username/password doesn’t need to be exposed externally to OH.
I wonder if it would make sense for the Android/iOS app to include a QR code scanner. That’s not all that different from the NFC use case really. Though it probably wouldn’t even need to be a built in scanner so much as an application URL that tells the phone to open the app and that tells the app what command to send to which Item.