One thing to keep in mind is that when you Secure your Thingworx Application, you are securing not just your Mashups, but you are securing your REST API!
Anyone and Anything out there can try to call that REST API and so you must be sure to secure with that in mind.
For this, the System User is a wonderful User who should be freely assigned to EVERYTHING! Anything and everything that the System User is assigned to can't be invoked directly, so even services like DisableThing or services that impact the design of the model will all be secure.
And then every service that is created, must be specifically permitted to the proper User Group.
Certainly this can be quite a bit of work, so we always recommend, design with Security in mind, apply Security when developing and always test with a User that is within the proper security context.
Lastly make sure to remove your Design time developers from the Runtime instance, only leaving the one Platform Administrator that you will need.
In the end that will get you a secure runtime application.