From what I understand: If you don't have a MEX endpoint / WSDL, your service is basically non-discoverable. Only people who have knowledge of your data contract should be able to consume your service.
Does this assertion hold water, or are there ways for malicious denizens of the internet to figure out how to invoke/consume services that have no MEX endpoint?
EDIT: As Andrew pointed out, this strategy should not be considered to be truly secure. I'm wondering more along the lines of if it is safe from random abuse during a QA phase with external consumers.