A couple reasons I want to secure services using ArcGIS Server secure folders (beyond web adaptor) come to mind:
- we don't have the server/network resources to allow other "consumers" to include our REST in their apps., and
- some variations of our services are public, while others have more fields/data that are for internal use only.
I'm sure there are other reasons. If all your services are public and you aren't concerned about #1, then you may not need security. However, even if using the web adaptor and you don't openly publish your end point, a couple minutes with Fiddler or other developer tools can usually find this info. However, if you have security (Configuring ArcGIS Server security—Documentation (10.4) | ArcGIS for Server ) and a proxy, you can prevent others from using the services within their own. Again, that might not be a concern, but something to keep in mind.
You may want to check out ArcGIS Security—Trust ArcGIS | ArcGIS since it has info on security for many of the products/platforms.
Also, just as a note, make sure your patches are up to date, including the one mentioned here:
ArcGIS Server Security Patch (2016 Update2) | ArcGIS Blog
