My privileged daemon authenticates and validates just like any other server. It could be open on the internet and it would be OK.

In practice, I have it listening on a unix socket, so only localhost can contact it, and I have the permissions restricted so only the web front-end can talk to it. The web front end is a Catalyst app running fast-cgi as a daemon process which talks to apache over a socket. This lets me run the web proces as yet another user, different from the web server user.