In Worklight 5, Worklight Studio uses Jetty within and the usage of a context root is not required. Only once moving your project to an application server such as Tomcat, WebSphere, Liberty, you have to specify it (in worklight.properties and application-descriptor.xml).
So,
in development - no.
in production - yes.
In Worklight 6 where Jetty has been replaced with Liberty, context root is now part of your project whether you are in development or production.
You will have to add the "wl_unprotected" securityTest
to your procedure in the adapter XML.
As for protecting the requests, my guess is that your IT department can isolate and protect specific URLs and not allow using them in certain scenarios. You already have the URL structure for them to use.