Besides use/abuse by local users, you should also think about remote users when you set up a tunnel. Creating iptables rules in the OUTPUT chain can restrict local access of your Stunnel listener, but not remote access.
To prevent users on other systems from connecting to your local Stunnel listener be sure to configure the INPUT chain as well. You can't match packets based on user or group ID in this chain (it isn't possible to reliably identify which user on a remote system initiates a TCP connection—ident isn't very secure), but you can match packets by source IP, e.g., ! -s localhost -j DROP.