The biggest security concern is that you are not blindly including the class name like:

require_once('classes/' . $_GET['class'] . '.php');

The above would be a vulnerable example so be sure to validate the class names or any files that you include so as to avoid a Local File Inclusion vulnerability.

class_exists() won’t be enough. I would validate it first so that it only contains a-z. Then use file_exists, class_exists etc.

I imagine not all of your classes and methods will be used by the public through the routing, so have some system where you check if the router is allowed to access the specified class and method. This could be done a number of ways, for example derive publicly available classes from a base class e.g. BaseController and check if the class being included derives from that, or just keep your controllers in a separate directory to internal classes, and control access within the class as needed.

As for revealing your classes and methods – this is not really a concern, in fact it’s how most MVC frameworks work. Make sure you validate everything that comes in as user input.

For your AJAX suggestion, yes that can be done by storing the token in the session, so that you can check if it matches when the call is made. I don’t think this would add a great deal of security though. Usually AJAX services give the same data that is available on the page anyway.