In a previous project, we created a specific user role for web services and a specific on for each different Mendix application. This allows you to strictly set the access of each of the applications to one another.
I think it makes sense to have at least one specific Webservice user role, since you don't want other users to access that functionality.