I have not used remote connect as of yet as I continue to view the overall program to be too immature and still not ready for prime time. There are simply too many forum posts regarding various issues and GS itself has yet to release any pricing or bring the product out of Beta.
If I am reading your post correctly, you are wanting to restrict the use of the remote connect at the UCM level to a given IP or possibly to the application itself as a security measure, but I do not understand your remark about having to open up to the world. How might the rogue devices get in?
It is my understanding that the purpose of remote connect is to provide “a companion cloud service for the UCM6300 series that provides always-on, automatic NAT firewall traversal to ensure secure connections by remote users”. This implies to me that the need to open a firewall to allow such “secure” connections is not needed and therefore makes the ACL issue moot as you should be able to leave the ACL open as “rogue” devices should not be able to get past the firewall.
All the conditions you mentioned involved the use of RC devices, and if the product eliminates the NAT concern, then it is not clear to me why the concern.
I am sure I must be missing something and as I indicated, I have yet to explore it.