What people do is create stored procedures to perform the updates. The stored procedures are created with Definer rights. This means they execute as sys_repo. Only give sys_repo schema rights and no one else.
In SPS09 we plan for something new called context sensitive authorizations. This will really solve your problem. It will allow you to set the schema rights such that a user only has them when running through a specific XS URL.
One other possible solution I just thought of. You could use a SQLCC and switch to a fixed user that has this authorization in the XSJS Connection object. You would still authenticate the user to the XS Application, controlling access at the user level or the service call. However in the XSJS logic itself you would force a SQLCC Anonymous connection. Just don’t put the SQLCC at the XSACCESS level as this would make the entire service call anonymous. You would still have to adapt all your XSJS Connection creation logic but this would be easier than converting everything to Procedures.