If I am not misreading your question,
Few things which I can think of are:
1. For regular logins, shell in /etc/passwd will be regular shell
while for authpf users, /usr/sbin/authpf
2. See login.conf man page. Having a separate login class for
authpf and regular users will give good control on what they
can do
3. Separate small partition for regular remote users with noexec
mount flag in /etc/fstab helps security
4. Seperate groups for each class of users coupled with dir and file
system permissions helps security
5. In case some users only do SFTP, see internal-sftp option for
sshd_config
Hope this helps.
Srikant.
