just an update - we bit the bullet and changed site, group and service level permissions in our recent deployment. All service redesigns were renamed so we kept the original and revised services in production instead of over-writing.
So far so good - the only glitch was caused by me being over anxious. I moved the 'old' services into a superseded service group, which affected some permissions for performers of tasks already created. Nothing we couldn't work through though.