First and foremost remember this:
You should consider that if any channel, incoming line, etc can enter an extension context that it has the capability of accessing any extension within that context.
Therefore, you should NOT allow access to outgoing or toll services in contexts that are accessible (especially without a password) from incoming channels, be they IAX channels, FX or other trunks, or even untrusted stations within you network. In particular, never ever put outgoing toll services in the "default" context. To make things easier, you can include the "default" context within other private contexts by using:
in the appropriate section. A well designed PBX might look like this: