Depending on your security needs, that might work.
As long as you don't add the "connect" role to your anonymous access credentials, then remote users still wouldn't be able to get REST or WebDAV access to your server. However, any other application running on the same app server that could access your repository (e.g., through JNDI) _could_ take advantage of that anonymous access.
Actually I know the code paths for these 'background' users. So when I go to create a jcr session I can use GuestCredentials for them only. So if you try to connect any other way you would never get there, and you sure would need a valid username/pw. I just want to make sure I'm not relying on 'demo-code' here (as the docs suggest), and that every JCR implementation will honor this behavior.