See https://hackerone.com/reports/1566325.

The ancient feed.publish API, introduced in D593, has (to my knowledge) never been used by anyone to do anything. At the time, the feed system was more modular and ad-hoc; after the "transaction" architecture took hold the feed architecture became more of a view of transactions.

This method predates the policy system and doesn't really do any kind of checks on anything, and callers can publish made-up feed stories. They can't necessarily do anything genuinely harmful with this (the best the HackerOne researcher could find was "make it look like you awarded an object you can't see a token") but these writes are inappropriate in modern Phabricator and there is no reason for this method to exit.