Yes, that's basically true. But as you wrote, the GUI application that is part of a service either must not be writable by the user (which is OK in this case, as you need admin rights to install the service anyway), or the service has to prove that the application is the correct one.

Hopefully this talk doesn't go too far away from the original author's question, though it gets a little off-topic