Good question Anthony. I'm having this same discussion with my dev team now. The initial services created were setup using the permission "anyone", but we are discovering that it you then want to restrict visibilty for certain people groups. We now need to redo the permissions. It would be interesting to hear if there is another strategy.
We had the same problem with the anyone access. However, we created rules to help with this so when someone tried to access the service they would get an error due to being in a certain role that doesn't have access. The service was still visible to everyone in the catalog but not everyone was able to order it due to the role etc. The rule should supersede the access control per moment etc. I hope I am on the right track according to what your email stated. Have fun!!