The fear here is that if a class wasn't explicitly designed to be an RPC interface, then it could very easily offer functionality that isn't safe to expose over a security boundary with RPC. Normally, JavaScript classes do not expect their APIs to be security boundaries.

With that said, I do think we ought to support `new RpcStub(myObject)` to explicitly create a stub around an arbitrary class, even if it doesn't extend `RpcTarget`. It would be up to the person writing the `new RpcStub` invocation to verify it's safe.