Hi Matt,
I know a few things, I'm not a Server expert, hopefully if someone else reads this they can advise better than me about ArcGIS Server and its public data security.
Using ArcGIS Server we do have additional controls for instance, we can disable your REST directory, this would keep visitors from resolving the REST directory in a browser, however ArcMap users with a connection will still have the ability to read and process any layers they have access to.
You can also disable exports in both ArcGIS Server and ArcGIS online, this disables the REST options to export, but still ArcGIS desktop could still read copy what it it sees.
Example from Sample Server 6 has no REST option to extract, but can be copied in Desktop.
- Layer: Damage to Commercial Buildings (ID: 0)
As an alternative if you wanted to make it harder for copy you could disable the feature access, and publish a Cached Map service or hosted tile layer.
I hope this helps identify some of the usage angles, It still all comes back to our willingness to share publicly everything in the data we share.
-Adam