I'm not sure. It certainly couldn't handle every use case, but maybe with some convention-style configurations (e.g. a record created via a POST to /users would hash any "password" field) you could handle a bunch of typical web app scenarios.

And if that doesn't work, perhaps the schema-less prototyping is a free tier with a more robust backend service offering for the paid tier?

"The password field is handled differently than the others; it is encrypted on the server and never returned to any client request."

https://www.parse.com/docs/rest#users