Also the "authorization convenience" for calls to WORKFLOW* destinations should ideally not be (mis)used outside the context of WAPIs (Workflow APIs).
There is however nothing wrong with creating your own logical destination for such update calls (I use it sometimes as well) but that makes it transparent what the call is for and you have better chances to restrict the access of WF-BATCH to WAPI only based processing APIs and the application auths it needs, and alternately your own scenarios. This is actually safer than SU24 in some cases as parallel processing via destination group IDs might loose the transaction context in some cases.
--> you should only use WAPIs for Workflow, even if it is very tempting not to... :-)
Otherwise you have limited chances to restrict WF-BATCH (but you can also change the name of the user ID in the WAPI calls - it is not hard coded).
Cheers,
Julius