We now have a public-facing method in the Web API that accept POST data (/known).
We should have a catch-all/last resort limitation in the size of incoming POST request for all API methods to avoid abuses.
That specific endpoint will accept requests of the order of few tens of KiB (50 KiB in the current proposal for T2276). I'm guessing a significantly larger varnish limit, e.g., 1 MiB (?), would be enough to avoid having to fiddle with it too often and still prevent significant abuses.