"It's open source" isn't the full story. Something can be open source and also used in a harmful way. You're right that gRPC-Web alone isn't a huge issue, but it's part of a larger trend of Google wanting to Google-fy the web, technology, or even society as a whole (see the leaked Selfish Ledger and Good Censor presentations).
Specifically in the case of gRPC-Web, even though "it's open source", does every gRPC service exposed on the web provide a .proto file for you to build your own client? If not, that's a big step down in terms of power given to end-users compared to REST.
Google is externalizing a lot of tools used internally for years. Use them or don't, it's your choice, but lots of time and effort has gone into making them work well so there's value there being made available for free.
To your point about .proto files for public endpoints: does every JSON HTTP endpoint exposed to the web provide documentation for you to build your own client? (of course not)
Again, I don't think this specific example is hugely significant, I'm looking at the larger trend.
Re: public endpoints. Say you're poking around a public web service, and it doesn't provide an API. Maybe you're writing a browser extension. Would you rather reverse engineer a JSON HTTP API with no documentation, or a gRPC-Web API with no .proto file?
Specifically in the case of gRPC-Web, even though "it's open source", does every gRPC service exposed on the web provide a .proto file for you to build your own client? If not, that's a big step down in terms of power given to end-users compared to REST.