Hi Renne,
If i'm incorrect in any of this someone feel free to chime in! Since the SOAP calls are based entirely off the same RBAC that is in the UI You could create a custom global role for SOAP and keep it almost entirely blank of permissions except for items you want it to touch.
For example:
the searchUser function is soap is directly tied to the 'Read' permission on the User Management area (Administration -> User Management -> Permissions)
Course Administration is also based off the RBAC on courses, if you wanted to blanket deny a user access to modifying / reading courses, you could not give the new SOAP role any access to the Repository area.
Let me know if this makes sense or if you want any examples!
Evan