I'm embarrassed to say I haven't fully understood the services module, until now. I just found this great example of how the services module SHOULD be used. http://gregbosen.org/blog/drupal-services-php-xml-rpc-example and http://drupal.org/node/394364 Here's a summary in my own words:

• Web services should ALWAYS be accessed with a logged in user
• Create a special Drupal account just for web services, eg: a "services" or "amfphp" user.
• Create a special Drupal role called "Services" that your "services" user is a part of.
• Assign as little permissions as you can get away with to the Services role. This account should not be a "super-user" in case it becomes compromised.
• Now, for the fun part .... here's the CORRECT way to connect to your web services. It is a 2 step process:
  • Call the system.connect service. This services exists ONLY to give you a session token. It will return a "sessid" parameter.
  • Call the user.login service. Pass the "sessid" parameter you received from system.connect, in addition to the user name and password of your "services" user. user.login will return the UID of your "services" user, if successful.
• Finally, you are logged into Drupal as the services user! Call whatever services you want, don't forget to pass the "sessid" parameter each time.

Nonce's, and keys still apply. Learn more about those here: http://drupal.org/handbook/modules/services