Basically, the Model::Create function does these steps:
- Instantiate a new model instance
- Using the input array, fill in all unguarded/fillable model attributes using set-mutators if available
- Save model to DB
- Return model
So as long as you add the fields that you don't want to be mass-assigned to your $guarded array (or excluded them from your $fillable array) there shouldn't be any security risks. The functionality is about the same as building the model gradually and then saving it.
As a recommendation: The input validation should happen within the model during either the "saving" or "creating" event. If you return false during one of those events, you'll halt the model creation.