Am I correct in thinking that the goodness of Cloud Endpoints comes with the following limitations:

1. The REST Api cannot be deployed to a custom domain (it'll remain on appspot.com).
2. The only authentication supported is OAuth against Google accounts.
   1. Corollary: it isn't currently possible to create a user login/session-tracking mechanism that is Google-accounts-agnostic (e.g., with email as username and a password).

Is there any plan to do away with these limitations and if so, what is the ETA?

Taking these item by item:

1. Currently, yes this is still the case. Keep in mind, our initial release is targeted at a same-party use-case, where the domain you're serving from basically doesn't matter (it's not user/developer-facing). If you want to use your API to drive a website, you can use your custom domain to have your user-facing content, and still make requests to your appspot domain using CORS. If you're building a mobile app, no one sees the domain at all.
2. Built-in support (i.e. using the User object) is limited to Google accounts, but you're free to build your own authentication scheme by checking the OAuth headers (or email/password if you must...)
3. (From the comments, regarding GA status). Endpoints is now GA.
4. (From the comments, regarding public APIs). Your APIs must be public, but you can limit the clients that can make requests. If you want to make a secret API, i.e. the existence of the API must itself be protected, that's not currently supported. I'd be curious to hear how popular a request this is, but I suspect it's not a blocker for most people.