I'm not sure I fully understand your question, but here's a little background information.
- On the client side, the InvokeServerMethod has several overloads to allow you to pass either a delegate to your method or just a type name. So, if you pass the type name (eg, "Demo.Entities.Employee, Demo.Entities") you don't need to reference the assembly on the client.
- The InvokeServerMethod call is as secure as any other BOS call. A SessionBundle is passed from the client to the BOS, and is validated on the BOS before calling your method. The IPrincipal for the client is also extracted from the session bundle and passed to your method so you can do further validation.
- Your server-side method can do whatever validation you require, and can also call other server-side logic to do the bulk of the work, and that other logic can reside in server-side only assemblies too.
Not sure if this answers your question.