Hm, I'd say apache shouldn't be running as nobody; as 'guest user with
no access' for samba, I'd think nobody is actually the correct choice.

I agree.  In fact, I said so in bug #12440 :)

However, as I see it, "big" packages (ie. ones bigger than fingerd and the
various talkd's) can probably "afford" their own userids.  Especially if they're
long-lived, rather than inetd processes.  (Hence my request in bug #12441 to
give identd its own uid now it's a "static" daemon.)

The only slight issue I see is that the default config has guest access off,
which would make a pcguest (or my favoured option - "smbguest") account more of
a liability than a useful enhancement.

apache is currently running as apache, not nobody. Also, no guest accounts are
enabled, and the guest user is configurable in the smb.conf file.

That makes this a really cheap default option, then.  Could you change the:

;guest user = nobody

to:

;Note: this account does not exist by default.  To add it, please run:
;# useradd -r -s /bin/false -d /home/samba -c "SMB guest account" smbguest
;guest user = smbguest

Cheap, easy, makes me happy.  Can't be all bad :-)