Access to the tuple space is necessarily read / write for all clients of the space. This is analogous to having a JDBC source which is read / write. It feels slightly different, though, as you may relate to several clients simultaneously, not only a single EAR.
It is rather easy to create malicious clients, and you therefore need to trust your client - on some some level.
When using the webservices module, you may want to enforce some additional constraints, such as allowing connection only from certain IPs. Additionally, you may want to use the authenticating token service. This will nevertheless only guarantee that the malicious user has authenticated...
The bottom line is that using the webservices module, you may want to take additional steps for securing your space. For instance, you may want to make your connections read only, and accept input to the space through some other channel (in order to avoid having rubbish inserted into your space). The other channel may be a servlet endpoint, which inserts relevant data into the space.
