As far as I know, there's not a good way to do this. Public is public, and there's not a way to prevent users from just watching their network traffic to see where their survey responses are going and copy the URL.
What is the security concern with the REST endpoint being visible? You can disable the query capability on the service to prevent anonymous users from seeing the data in the layer, and restrict editing to adding new features only.
You'll still be potentially vulnerable to your form / service getting spammed, but I don't think you can avoid that.
- Josh Carlson
Kendall County GIS