Con Due to security concerns, external use requires a reverse proxy in front of it
Kestrel is fairly new and doesn't yet have the full suite of security features that you might find in a more mature server. It's recommended to run IIS, Nginx, or Apache in front of it set as a reverse proxy to handle incoming connections. The connections are then passed off to Kestrel after preliminary handling. Because of Kestrels young age, it doesn't have a full defense against attacks which includes, but isn't limited to, appropriate timeouts, size limits, and concurrent connection limits.
Con Lacking in features
Kestrel was built to be fast, so the developers had to cut out some of the higher tier features. Kestrel was designed to push requests and that's it, so if you want additional features it's recommended to run a full-fledged web server in front of it.
You can see a full feature list in the specs section of this recommendation.