Greetings, I'm afraid I don't have a direct answer, although I'll offer you an opinion. Now granted I don't know the size and scope of your project, but from what admittedly little I know about SOE's, it seems like it might a lot of work - and you may be able to alleviate your security concern in a different manner. I do like your idea though, and let me know if you follow through with that path.
As an alternative, say you do require the client to call multiple web services - you could enforce that the syncing would fail by adding a column to each layer with an AuditID. Your pre-sync audit service does it's thing and stores a result in the DB "SyncLog" with a Guid or something, which is then returned to the client. You could then update the features's AuditID with the Guid, and have triggers on the DB that check for that value against your SyncLog table, and don't allow the updates/inserts if things don't check out, therefore the sync would fail.
I realize that may be a bit of work too, and definitely more of a hack, but in the event that the SOE route isn't feasible, just another thought.