Man In The Middle Attack On File Uploads

if the security measures were taken in both client side and server side there shouldn't be any problem. all web services should implement these things:

• the connection should be secure via SSL.
• if you are posting data to server there should be CSRF tokens in your form fields so untrusted users can't send data to server
• on the server never trust entered data by users and do data validation

so if you are using third party service just check it's documentation or ask directly from its developers.

please note that setting a filed hidden in the form is not a security measure, it is just for UI so the user don't see unnecessary input field when entering data.

actual real security concerns?

This depends on whether or not the application is properly secured.

• Is the url served via a secure connection (HTTPS)?
• Are all common security headers set, especially strict-transport-security?
• ...and other important headers, like X-Frame-Options to prevent clickjacking?
• Does the web application have a proper CORS policy/configuration=
• Is the web page secured against XSS (no vulnerable javascript frameworks used, X-XSS-Protection header properly set)?
• Is the form submitted via a secure connection (HTTPS)?
• Is "Service X" trustworthy?

When all of the above is true, and/or set up correctly, I don't see why this shouldn't be less or more secure than having the url already pre-set in the web application.

It would be preferable if service X was under the same control of the owner of the web application itself, since things like "trustworthyness" may change over time.

Just make sure that the application doesn't allow arbitrary upload urls for assets. I've seen that before, that webpage APIs allowed the user to specify the upload-url path, making it possible to create signed upload- and even download-links.