Correct. If you have user IP space on the switch and don't need stateful firewall processing, it makes sense to use standard switching.
If you don't have user IP space on the switch, need stateful firewall processing (PCI, HIPPA, etc) and/or just need centralized security policy, authentication and access control, then it makes sense to use tunnel-node and AAA is performed at the controller level.
We only use tunneled-node for one-off, special use cases. For example, we don't have public IP space in our dorms since they are only APs and phones. If we needed to provide a device a public IP address (an AT&T Femtocell for example), we use the tunneled-node feature.
Another note. Be sure that your controller can handle the tunnel count. Each tunneled port uses 1 tunnel.