Actually, you cannot call a servlet from another servlet. You can only forward, unless you just break into the servlet's processing methods by main brute force.
You definitely don't "call" a servlet from JavaScript. Since JavaScript runs on the client and the servlet runs on the server, the client can only make an HTTP(S) request that invokes a servlet's processing method.
The biggest security risks in a
J2EE application don't come so much from whether requests were made directly from a browser or via AJAX, but from whether or not the webapp was designed secure to begin with. Which is the main reason I make so much noise about not writing your own security system if the J2EE-standard one can be used instead.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.