In order to execute NSQL query web services, the user only needs a value login (username and password).
It's then up to the individual NSQL queries to guard against security themselves, for example, by including constraints in the WHERE clause on parameters based on the SECURITY nsql constructs or the USER_ID parameter one. So you will need to make the queries
Then even if they try to execute other NSQL queries, they will not get any results. In other words, for the NSQL query web services to be secure, then the queries have to be secure.
The various Object web services (like project and so on) require specific XOG rights to be granted in the application before they can be used, so if they don't have the XOG Access rights to the objects and at least view permissions to the instances, they won't get access to the data.
Examples/references where the securing of NSQL has been covered through using the constructs mentioned above:
Adding protlet security NSQL
Filter Portlet by Current User as default behovior