REST, as a system in itself, is very predictable regarding endpoints and the content of the requests, being just an HTTP request. It is supposed that end-users can easily guess how to fulfill their aim as long as the URL structure of the site is familiar to them, which can be interpreted as a breach within the security system. This is considered one of the first drawbacks/limitations of RESTful APIs, but we will get to this in a minute.
Regarding performance, it is considered that SOAP is more advanced in this regard, making good use of event-based parsing, which adds to the scalability of SOAP stacks that use normal HTTP processing along the XML parsing, while REST uses the HTTP processing method alone.
Within the industry, there is a prolonged debate that denounces the security of REST related to other methods like SOAP, which is why some developers or clients choose to avoid REST. More technically-savvy developers or users would prefer REST, for the sole reason that...