Nice things: simple tool that does one thing well. As mentioned above, it lets the database itself decide on permissions. If you want SSL support, just put it behind an NGINX reverse proxy. It lets you get creative with queries in the query-string part of your url.

Lacking: I didn't really find anything lacking; it was able to do everything I needed. I'm a pretty basic end-user, not an expert. At first I was confounded by the limitation of one schema per PostgREST instance; but that's easy to work with or work around. I created a single "api" schema which contained nothing but views of tables that lived in other places. You can also just run more than one instance of PostgREST if you want to expose more than one schema.